Fix ruby-jwt — CVE-2024-21979 HIGH
Last updated: April 1, 2026 · Data: OSV Database
ruby-jwt is often a transitive dependency. You may have it without knowing.
Auth0, Devise-JWT, and several API authentication gems pull in ruby-jwt automatically. If you use any of these, a vulnerable ruby-jwt version may be in your lockfile even if it is not in your Gemfile directly. This is called a transitive dependency.
# Check if ruby-jwt is pulled in transitively bundle list | grep jwt # If it appears, check the version bundle exec gem list jwt
Fix CVE-2024-21979 (HIGH) in ruby-jwt for Ruby. Paste your Gemfile into PackageFix and get a patched version — no CLI, no signup. Algorithm confusion attack via none algorithm acceptance.
CVE-2024-21979 (HIGH) — algorithm confusion attack via none algorithm acceptance in ruby-jwt versions below 2.8.1.
Vulnerable Version — Gemfile
gem 'jwt', '2.7.0'
Fixed Version — Gemfile
gem 'jwt', '2.8.1'
Update ruby-jwt to 2.8.1 or later. Run bundle install to apply. Verify with your ecosystem's audit tool after updating.
Paste your manifest — get back a fixed version with all CVEs patched in seconds.
Open PackageFix →No signup · No CLI · No GitHub connection · Runs 100% in your browser
CVE Details
| Field | Value |
|---|---|
| CVE ID | CVE-2024-21979 |
| Severity | HIGH |
| Package | ruby-jwt (Ruby) |
| Vulnerable versions | Below 2.8.1 |
| Safe version | 2.8.1 |
| CISA KEV | — |
| Description | Algorithm confusion attack via none algorithm acceptance |