smallrye-jwt and Java ECDSA Signature Vulnerability

Skip to first unread message

Sergey Beryozkin

May 5, 2022, 9:02:17 AM5/5/22
to SmallRye

We prepared a message to the Quarkus community last week about the Java 17/18 ECDSA Signature Vulnerability:

but I've realized now that not all smallrye-jwt users are Quarkus users.
There was a smallrye-jwt issue opened a while back to support ECDSA signature verification, MP JW 1.2 now formally supports such signatures, so I think there is a high chance some applications using smallrye-jwt depend on such signatures.
So if you are one of the users who work with JWT tokens signed using an ES256 algorithm and use Java 17/18 then please make sure your JDK is patched with the latest April 2022 patch, see
for more details

Thanks, Sergey

Reply all
Reply to author
0 new messages