diff --git a/lib/jwt/decode.rb b/lib/jwt/decode.rb
index fa4c03f7..74420587 100644
--- a/lib/jwt/decode.rb
+++ b/lib/jwt/decode.rb
@@ -118,6 +118,8 @@ def none_algorithm?
 
     def decode_crypto
       @signature = Base64.urlsafe_decode64(@segments[2] || '')
+    rescue ArgumentError
+      raise(JWT::DecodeError, 'Invalid segment encoding')
     end
 
     def algorithm
diff --git a/spec/jwt_spec.rb b/spec/jwt_spec.rb
index 72b176aa..f3753cdf 100644
--- a/spec/jwt_spec.rb
+++ b/spec/jwt_spec.rb
@@ -575,6 +575,12 @@
     end
   end
 
+  context 'a token with invalid Base64 segments' do
+    it 'raises JWT::DecodeError' do
+      expect { JWT.decode('hello.there.world') }.to raise_error(JWT::DecodeError, 'Invalid segment encoding')
+    end
+  end
+
   context 'a token with two segments but does not require verifying' do
     it 'raises something else than "Not enough or too many segments"' do
       expect { JWT.decode('ThisIsNotAValidJWTToken.second', nil, false) }.to raise_error(JWT::DecodeError, 'Invalid segment encoding')