fix(sec): update bytes and jsonwebtoken by AnthonyMichaelTDM · Pull Request #1752 · loco-rs/loco

AnthonyMichaelTDM · 2026-03-09T09:04:14Z

Updates jsonwebtoken to a version that fixes CVE-2026-25537 (authentication bypass via type confusion)

I don't have a poc demonstrating loco is vulnerable to this, but the POC in the gh security advisory (linked) seems similar to how jsonwebtoken is used in loco so it's better safe than sorry imo

Updates bytes to a version that fixes CVE-2026-25541 (integrer overflow)

updates jsonwebtoken to a version that fixes CVE-2026-25537 updates bytes to a version that fixes CVE-2026-25541

AnthonyMichaelTDM · 2026-03-09T12:56:11Z

idk, what do you think is the best way to introduce these features that'll work within the current test suite?

I'd like to avoid just choosing one option and not making it configurable through feature flags

AnthonyMichaelTDM added 5 commits March 9, 2026 04:00

update bytes and jsonwebtoken

9751ad4

updates jsonwebtoken to a version that fixes CVE-2026-25537 updates bytes to a version that fixes CVE-2026-25541

feat: expose feature flags to set the crypto provider of jsonwebtoken

edf6e46

Update mod.rs

1421f8b

Update mod.rs

10004bf

Update mod.rs

a3bc72a

AnthonyMichaelTDM marked this pull request as draft March 9, 2026 12:55

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(sec): update bytes and jsonwebtoken#1752

fix(sec): update bytes and jsonwebtoken#1752
AnthonyMichaelTDM wants to merge 5 commits intoloco-rs:masterfrom
AnthonyMichaelTDM:dependencies

AnthonyMichaelTDM commented Mar 9, 2026

Uh oh!

AnthonyMichaelTDM commented Mar 9, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

AnthonyMichaelTDM commented Mar 9, 2026

Uh oh!

AnthonyMichaelTDM commented Mar 9, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant