The jwt gem v2.x is affected by AIKIDO-2025-10399, a vulnerability involving insufficient verification of data authenticity. Attackers can bypass authentication by tampering with the token payload, potentially leading to unauthorised access or privilege escalation. The fix is available in jwt 3.1.0.
stream-chat-ruby currently constrains jwt to ~> 2.10, which prevents consumers from upgrading to the patched version. This effectively forces all stream-chat-ruby users to remain on a vulnerable jwt release.
Can jwt constraint be relaxed to allow 3.x so that consumers can apply the security fix?
The jwt gem v2.x is affected by AIKIDO-2025-10399, a vulnerability involving insufficient verification of data authenticity. Attackers can bypass authentication by tampering with the token payload, potentially leading to unauthorised access or privilege escalation. The fix is available in jwt 3.1.0.
stream-chat-ruby currently constrains jwt to
~> 2.10, which prevents consumers from upgrading to the patched version. This effectively forces all stream-chat-ruby users to remain on a vulnerable jwt release.Can jwt constraint be relaxed to allow 3.x so that consumers can apply the security fix?