OKX XLayer-Reth Fork Fixes Medium-Severity JWT Vulnerability CVE-2026-25537

The OKX XLayer-Reth project has taken an unusual step to patch a security flaw, forking a core dependency to resolve a medium-severity vulnerability in the `jsonwebtoken` library. The project's security alert, tracked as CVE-2026-25537, affects versions below 10.3.0. This forced action highlights a critical gap in the software supply chain where upstream maintainers have not yet migrated to the secure version, leaving dependent projects exposed.

The vulnerability was introduced via the `alloy-rpc-types-engine` crate, version 1.6.3, which required `jsonwebtoken ^9.3.0`. This semver range was incompatible with the patched 10.x series. Rather than wait for the upstream `alloy` and `reth` projects to update, the OKX team created a local fork of the dependency. They manually bumped the `jsonwebtoken` version to 10.3.0 and enabled the required `rust_crypto` backend feature, then wired this custom version into the workspace using a `[patch.crates-io]` directive in the `Cargo.toml`.

This workaround, while effective, signals underlying pressure and fragmentation in the blockchain development ecosystem. It exposes the operational risk for major crypto infrastructure projects when critical security updates in foundational libraries are delayed by upstream dependencies. The move to maintain a local fork shifts the long-term maintenance burden onto the OKX team and could complicate future integrations if the upstream projects eventually update their own dependencies, potentially creating version conflicts.