We did not find any security vulnerabilities in the JWT library itself; however, we did find a previously undiscovered cryptographic vulnerability in one of its dependencies.
Users of this library can elect to use ECSDA signatures on their JSON Web Tokens, which is facilitated by a library called PHPECC. Whenever you write code to perform any sort of authentication in a cryptography context, it must be done in constant-time or else you leak information that could allow attackers to forge their own invalid tokens. Depending on what your application does with this data after signature verification, the damage could be severe.
We notified the PHPECC maintainers in Issue #113 and sent pull request #114 to address these concerns.