🚨 [security] [ruby] Update jwt 3.1.2 → 3.2.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ jwt (indirect, 3.1.2 → 3.2.0) · Repo · Changelog

Security Advisories 🚨

🚨 ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351

JWT.decode(token, '', true, algorithm: 'HS256') accepts an attacker-forged token.
OpenSSL::HMAC.digest('SHA256', '', payload) returns a valid digest under an empty key, and no raise InvalidKeyError if key.empty? precondition exists in the HMAC algorithm.

JWT.decode(token, "", true, algorithm: 'HS256')
  -> JWA::Hmac.verify(verification_key: "", ...)
  -> OpenSSL::HMAC.digest('SHA256', "", signing_input) == signature

The same path is reached when a keyfinder block or key_finder: argument returns "", nil, or an
array containing nil for an unknown key. JWT::Decode#find_key only rejects literal nil and empty
arrays, and JWT::JWA::Hmac silently coerces nil to "" (signing_key ||= '') before signing.

JWT.decode(token, nil, true, algorithms: ['HS256']) { |_h| "" }
  -> find_key returns ""               # "" && !Array("").empty? == true
  -> JWA::Hmac.verify(verification_key: "", ...)
  -> verifies

Common application patterns that produce the unsafe value: redis.get("kid:#{kid}").to_s, ORM string columns with default: '', ENV['SECRET'] || '', Hash.new('') lookups, [primary, fallback] where fallback may be nil. Applications passing a non-empty static key:, or whose keyfinder returns nil / raises on miss, are not affected.

The existing enforce_hmac_key_length option would block this but defaults to false. On OpenSSL ≥ 3.5 the empty-key HMAC.digest call no longer raises, so the OpenSSL-3.0 rescue in JWA::Hmac#sign does not fire.

Affects HS256/HS384/HS512 via both JWT.decode (positional key and block keyfinder) and
JWT::EncodedToken#verify_signature!(key_finder:)

Release Notes

3.2.0

v3.2.0 (2026-05-13)

Full Changelog

Features:

• Add enforce_hmac_key_length configuration option #716 - (@304)

Fixes and enhancements:

• Reject nil and empty HMAC keys when signing and verifying (CVE-2026-45363 / GHSA-c32j-vqhx-rx3x)
• Fix compatibility with the openssl 4.0 gem #706
• Test against Ruby 4.0 on CI #707
• Fix type error when header is not a JSON object #715 - (@304)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 15 commits:

• Merge commit from fork
• Bump actions/download-artifact from 7 to 8 (#719)
• Bump actions/upload-artifact from 6 to 7 (#718)
• Fix Style/PredicateWithKind RuboCop issue (#720)
• Extract context classes into separate files for better organization (#717)
• Add enforce_hmac_key_length configuration option (#716)
• Fix type error when header is not a JSON object (#715)
• Fix typo in "Rubocop" to use correct casing "RuboCop" (#714)
• Bump actions/download-artifact from 4 to 7 (#708)
• Bump actions/upload-artifact from 4 to 6 (#709)
• Bump qltysh/qlty-action from 1 to 2 (#710)
• Bump actions/checkout from 4 to 6 (#711)
• Add Ruby 4 to test matrix (#707)
• Fix compatibility with ruby-head (#706)
• Fix some typos (#705)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)