PHPackages wubinworks/module-jwt-auth-patch - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. wubinworks/module-jwt-auth-patch ActiveMagento2-module[Authentication & Authorization](/categories/authentication) wubinworks/module-jwt-auth-patch ================================ Fix the JWT authentication vulnerability on certain Magento 2 versions. Deny tokens issued by old encryption key. If you cannot upgrade Magento or cannot apply the official patch, try this one. 1.0.0(1y ago)341OSL-3.0PHPPHP >=7.3 Since Dec 10Pushed 1y ago1 watchersCompare [ Source](https://github.com/wubinworks/magento2-jwt-auth-patch)[ Packagist](https://packagist.org/packages/wubinworks/module-jwt-auth-patch)[ Docs](https://www.wubinworks.com)[ RSS](/packages/wubinworks-module-jwt-auth-patch/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (1)Dependencies (1)Versions (2)Used By (0) Magento 2 JWT Authentication Patch ================================== [](#magento-2-jwt-authentication-patch) **Fix the JWT authentication vulnerability on certain Magento 2 versions. Deny tokens issued by old encryption key. If you cannot upgrade Magento or cannot apply the official patch, try this one.** [![Wubinworks Magento 2 JWT Authentication Patch](https://raw.githubusercontent.com/wubinworks/home/master/images/Wubinworks/JwtAuthPatch/jwt-auth-patch.jpg "Wubinworks Magento 2 JWT Authentication Patch")](https://www.wubinworks.com/jwt-auth-patch.html) Background ---------- [](#background) In September 2024, an authentication vulnerability was revealed on multiple Magento versions and those versions are identified that a new module `Magento_JwtUserToken` is employed. Tokens(especially Admin Tokens) issued by **old** encryption key remains valid even if a new key is added. The vulnerability is caused by a bug in the above mentioned module. Attacker who once obtained a key can have **persistent** Admin level WebAPI access to the victim's store. #### CVE-2024-34102(aka Cosmic Sting) Secondary Disaster [](#cve-2024-34102aka-cosmic-sting-secondary-disaster) By exploiting CVE-2024-34102, the attacker can steal the encryption key and craft "valid" Admin Token. A key rotation without fixing this vulnerability cannot deny the attacker's Admin level access. #### Do I really need this patch ? [](#do-i-really-need-this-patch-) If your store is already hacked or you are unsure if it is, then you **should assume** the encryption key is leaked. Performing an encryption key rotation is very urgent. Rotate Encryption Key --------------------- [](#rotate-encryption-key) *Note1: Perform the key rotation **after** installing this patch(extension).* *Note2: Encryption keys are stored in `app/etc/env.php` `crypt/key` path, but **do not delete old keys after rotation**.* - Login to Admin Panel - Go to `System > Other Settings > Manage Encryption Key` - Change `Auto-generate a Key` to `Yes` and then `Change Encryption Key` More details, including command line methods, are in this [blog post](https://www.wubinworks.com/blog/post/magento2-rotate-encryption-key). We also developed a tool for deployment automation purpose. Check [Magento 2 Encryption Key Manager CLI](#you-may-also-like). Requirements ------------ [](#requirements) #### For affected versions only [](#for-affected-versions-only) **2.4.4 ~ 2.4.4-p9** **2.4.5 ~ 2.4.5-p8** **2.4.6 ~ 2.4.6-p6** **2.4.7 ~ 2.4.7-p1** #### Compatibility [](#compatibility) This extension does not use `preference`. Installation ------------ [](#installation) **`composer require wubinworks/module-jwt-auth-patch`** ♥ - [](#) If you like this extension please star this repository. You May Also Like ----------------- [](#you-may-also-like) [Magento 2 patch for CVE-2024-34102(aka Cosmic Sting)](https://github.com/wubinworks/magento2-cosmic-sting-patch) [Magento 2 Encryption Key Manager CLI](https://github.com/wubinworks/magento2-encryption-key-manager-cli) ### Health Score 23 — LowBetter than 27% of packages Maintenance39 Infrequent updates — may be unmaintained Popularity8 Limited adoption so far Community8 Small or concentrated contributor base Maturity33 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 524d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/7de965a6287fb784969afeb4b173521d3cb59c6b873b7248263abb9fc098eddd?d=identicon)[wubinworks](/maintainers/wubinworks) --- Top Contributors [![wubinworks](https://avatars.githubusercontent.com/u/127310257?v=4)](https://github.com/wubinworks "wubinworks (1 commits)") --- Tags cosmic-stingcve-2024-34102encryption-keyjwtjwt-authenticationkey-rotationmagento2patchtokenwebapijwtAuthenticationtokenmagento 2patchkey-rotationwebapicve-2024-34102cosmic stingencryption key ### Embed Badge ![Health badge](/badges/wubinworks-module-jwt-auth-patch/health.svg) ``` [![Health](https://phpackages.com/badges/wubinworks-module-jwt-auth-patch/health.svg)](https://phpackages.com/packages/wubinworks-module-jwt-auth-patch) ``` ### Alternatives [tymon/jwt-auth JSON Web Token Authentication for Laravel and Lumen 11.5k49.1M350](/packages/tymon-jwt-auth)[namshi/jose JSON Object Signing and Encryption library for PHP. 1.8k99.6M101](/packages/namshi-jose)[auth0/auth0-php PHP SDK for Auth0 Authentication and Management APIs. 40820.2M68](/packages/auth0-auth0-php)[kreait/firebase-tokens A library to work with Firebase tokens 24040.8M14](/packages/kreait-firebase-tokens)[bizley/jwt JWT integration for Yii 2 67425.3k2](/packages/bizley-jwt)[tuupola/branca Authenticated and encrypted API tokens using modern crypto. 52309.2k1](/packages/tuupola-branca) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)