Vulnerable firebase/php-jwt dependency (CVE-2021-46743)/i google-api-php-client

Started by Chopnsense, September 22, 2025, 12:56:09 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 22, 2025, 12:56:09 PM
Hello,

While exploring my OPNsense 25.1.11 installation, I noticed the following directory:

/usr/local/share/google-api-php-client/vendor/firebase/php-jwt

This code comes from the php-google-api-php-client package, which is pulled in as a dependency for certain OPNsense plugins integrating with Google services (DNS, API, etc.).

The issue:
   •   The client's composer.json requires:

"firebase/php-jwt": "^1.0 || ^2.0 || ^3.0 || ^4.0 || ^5.0"

   •   This explicitly excludes the 6.x branch.
   •   However, the vulnerability CVE-2021-46743 affects all versions prior to 6.0.0 of firebase/php-jwt.
   •   As a result, OPNsense ends up shipping a potentially vulnerable package with no straightforward way to upgrade.

Questions:
   1.   Is it expected behavior for OPNsense to still ship this old library with a known CVE?
   2.   Is there any plugin or functionality in OPNsense that strictly requires php-google-api-php-client (and thus php-jwt), or can the package be safely removed if unused?
   3.   Are there plans upstream (FreeBSD ports or OPNsense) to update php-google-api-php-client so it supports jwt 6.x, which includes the CVE fix?

Thanks in advance for any clarification.
September 22, 2025, 12:57:16 PM #1
25.1 is an unsupported EOL release. Upgrade to the supported 25.7.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 22, 2025, 01:11:34 PM #2
It is the one coming with official AWS market image.

I will try to upgrade later and verify if this issue is gone

Thanks for your quick answer
September 22, 2025, 05:38:11 PM #3
Seems to be ok with version 25.7!

Thanks
Print
Go Up Pages1
User actions