"
Seems to be ok with version 25.7!
Thanks
Thanks
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
25.1, 25.4 Series / Re: Vulnerable firebase/php-jwt dependency (CVE-2021-46743)/i google-api-php-client
September 22, 2025, 05:38:11 PM #2
25.1, 25.4 Series / Re: Vulnerable firebase/php-jwt dependency (CVE-2021-46743)/i google-api-php-client
September 22, 2025, 01:11:34 PM
It is the one coming with official AWS market image.
I will try to upgrade later and verify if this issue is gone
Thanks for your quick answer
I will try to upgrade later and verify if this issue is gone
Thanks for your quick answer
#3
25.1, 25.4 Series / Vulnerable firebase/php-jwt dependency (CVE-2021-46743)/i google-api-php-client
September 22, 2025, 12:56:09 PM
Hello,
While exploring my OPNsense 25.1.11 installation, I noticed the following directory:
/usr/local/share/google-api-php-client/vendor/firebase/php-jwt
This code comes from the php-google-api-php-client package, which is pulled in as a dependency for certain OPNsense plugins integrating with Google services (DNS, API, etc.).
The issue:
• The client's composer.json requires:
"firebase/php-jwt": "^1.0 || ^2.0 || ^3.0 || ^4.0 || ^5.0"
• This explicitly excludes the 6.x branch.
• However, the vulnerability CVE-2021-46743 affects all versions prior to 6.0.0 of firebase/php-jwt.
• As a result, OPNsense ends up shipping a potentially vulnerable package with no straightforward way to upgrade.
Questions:
1. Is it expected behavior for OPNsense to still ship this old library with a known CVE?
2. Is there any plugin or functionality in OPNsense that strictly requires php-google-api-php-client (and thus php-jwt), or can the package be safely removed if unused?
3. Are there plans upstream (FreeBSD ports or OPNsense) to update php-google-api-php-client so it supports jwt 6.x, which includes the CVE fix?
Thanks in advance for any clarification.
While exploring my OPNsense 25.1.11 installation, I noticed the following directory:
/usr/local/share/google-api-php-client/vendor/firebase/php-jwt
This code comes from the php-google-api-php-client package, which is pulled in as a dependency for certain OPNsense plugins integrating with Google services (DNS, API, etc.).
The issue:
• The client's composer.json requires:
"firebase/php-jwt": "^1.0 || ^2.0 || ^3.0 || ^4.0 || ^5.0"
• This explicitly excludes the 6.x branch.
• However, the vulnerability CVE-2021-46743 affects all versions prior to 6.0.0 of firebase/php-jwt.
• As a result, OPNsense ends up shipping a potentially vulnerable package with no straightforward way to upgrade.
Questions:
1. Is it expected behavior for OPNsense to still ship this old library with a known CVE?
2. Is there any plugin or functionality in OPNsense that strictly requires php-google-api-php-client (and thus php-jwt), or can the package be safely removed if unused?
3. Are there plans upstream (FreeBSD ports or OPNsense) to update php-google-api-php-client so it supports jwt 6.x, which includes the CVE fix?
Thanks in advance for any clarification.
Pages1
