We prepared a message to the Quarkus community last week about the Java 17/18 ECDSA Signature Vulnerability:
but I've realized now that not all smallrye-jwt users are Quarkus users.
There was a smallrye-jwt issue opened a while back to support ECDSA signature verification, MP JW 1.2 now formally supports such signatures, so I think there is a high chance some applications using smallrye-jwt depend on such signatures.
So if you are one of the users who work with JWT tokens signed using an ES256 algorithm and use Java 17/18 then please make sure your JDK is patched with the latest April 2022 patch, see
for more details