Bump minimum aws-lc-rs dependency to address CVE-2026-3336 and CVE-2026-3338

jsonwebtoken currently specifies `aws-lc-rs ^1.15.0` as an optional dependency for the `aws_lc_rs` feature. This allows Cargo to resolve versions of `aws-lc-rs` that depend on `aws-lc-sys < 0.38.0`, which is affected by CVEs disclosed on 2026-03-02:

  - **[CVE-2026-3336](https://www.cve.org/CVERecord?id=CVE-2026-3336)** — `PKCS7_verify` certificate chain validation bypass
  - **[CVE-2026-3338](https://www.cve.org/CVERecord?id=CVE-2026-3338)** — `PKCS7_verify` signature validation bypass

 Bumping the minimum version of aws_lc_rs ensures that fresh resolves will pick up the patched `aws-lc-sys >= 0.38.0`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump minimum aws-lc-rs dependency to address CVE-2026-3336 and CVE-2026-3338 #491

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Bump minimum aws-lc-rs dependency to address CVE-2026-3336 and CVE-2026-3338 #491

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions