Refactor to support firebase/php-jwt 7.X#24
Merged
jeffreyparker merged 2 commits intomainfrom Jan 23, 2026
Merged
Conversation
php-jwt v7 enforces strict HMAC key length validation (64 bytes for HS512). This pads the 40-byte client secret to 64 bytes with null bytes, which produces identical HMAC output since HMAC internally pads to block size. Fixes CVE-2025-45769 compatibility while maintaining support for php-jwt v6.
AaronAtDuo
approved these changes
Jan 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
firebase/php-jwt 7.0 enforces a minimum key length of 64 on JWTs using HMAC512, but Duo uses a length of 40. The recommended solution is to pad out the key to the required size. (We had this same situation in duo_universal_csharp duosecurity/duo_universal_csharp#23 ) . This allows the client to support both php-jwt 6.X and 7.X.
Motivation and Context
Support for newer versions of dependencies. (Note that this issue was labelled as a CVE in firebase/php-jwt, but is not an actual vulnerability firebase/php-jwt#605 )
How Has This Been Tested?
Tested locally both with firebase/php-jwt 6.X and 7.X.
Types of Changes
Thank you to @ishanvyas22 for bringing this issue to our attention!