Hello,
While exploring my OPNsense 25.1.11 installation, I noticed the following directory:
/usr/local/share/google-api-php-client/vendor/firebase/php-jwt
This code comes from the php-google-api-php-client package, which is pulled in as a dependency for certain OPNsense plugins integrating with Google services (DNS, API, etc.).
The issue:
• The client's composer.json requires:
"firebase/php-jwt": "^1.0 || ^2.0 || ^3.0 || ^4.0 || ^5.0"
• This explicitly excludes the 6.x branch.
• However, the vulnerability CVE-2021-46743 affects all versions prior to 6.0.0 of firebase/php-jwt.
• As a result, OPNsense ends up shipping a potentially vulnerable package with no straightforward way to upgrade.
Questions:
1. Is it expected behavior for OPNsense to still ship this old library with a known CVE?
2. Is there any plugin or functionality in OPNsense that strictly requires php-google-api-php-client (and thus php-jwt), or can the package be safely removed if unused?
3. Are there plans upstream (FreeBSD ports or OPNsense) to update php-google-api-php-client so it supports jwt 6.x, which includes the CVE fix?
Thanks in advance for any clarification.
25.1 is an unsupported EOL release. Upgrade to the supported 25.7.
It is the one coming with official AWS market image.
I will try to upgrade later and verify if this issue is gone
Thanks for your quick answer
Seems to be ok with version 25.7!
Thanks