Download Latest Version 4.1.7 source code.zip (376.7 kB)
Email in envelope

Get an email when there's a new version of PHP JWT Framework

Home / 3.4.10
Name Modified Size InfoDownloads / Week
Parent folder
3.4.10 source code.tar.gz 2026-06-06 134.8 kB
3.4.10 source code.zip 2026-06-06 478.7 kB
README.md 2026-06-06 838 Bytes
Totals: 3 Items   614.4 kB 1

Release Notes for 3.4.10

Security patch release.

This release addresses four security issues in the JOSE implementation:

  • PBES2-HS*+A*KW — the p2c (PBKDF2 iteration count) is now bounded (configurable) to prevent a CPU-amplification denial of service. (GHSA-3prj-6hqw-cm82)
  • ChaCha20-Poly1305 key encryption — the Poly1305 authentication tag is now emitted and verified; tampered tokens are rejected. (GHSA-6vvh-pxr4-25r7)
  • RSA1_5 — PKCS#1 v1.5 decryption now uses constant-time implicit rejection, mitigating Bleichenbacher-style padding oracles. (GHSA-5739-39v2-5754)
  • JWS — the alg parameter is read only from the integrity-protected header, preventing algorithm-confusion attacks. (GHSA-jc38-x7x8-2xc8)

Note: 3.4.10 ships the fixes; the accompanying test-suite update is included in 3.4.11.

Source: README.md, updated 2026-06-06