pyjwt v2.10.1 was discovered to contain weak encryption. NOTE: this is disputed by the Supplier because the key length is chosen by the application that uses the library (admittedly, library users may benefit from a minimum value and a mechanism for opting in to strict enforcement).

🗓️ 04 Sep 2025 03:30:36Reported by MicrosoftType

mscve

mscve🔗 msrc.microsoft.com👁 3 Views

PyJWT version 2.10.1 found to use weak encryption; supplier says key length is chosen by the app.

Reporter	Title	Published	Views	Family All 31
IBM Security Bulletins	Security Bulletin: There are multiple vulnerabilities that can affect IBM Fusion	11 Sep 202518:18	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Concert Software.	28 Oct 202505:59	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in PyJWT-2.10.1-py3-none-any.whl	4 Feb 202618:34	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite Ai-Service Component uses pyjwt v2.10.1 library which is vulnerable to CVE-2025-45768	23 Sep 202512:45	–	ibm
Tenable Nessus	Amazon Linux 2023 : python3-jwt, python3-jwt+crypto (ALAS2023-2026-1467)	6 Mar 202600:00	–	nessus
Tenable Nessus	TencentOS Server 4: python-jwt (TSSA-2026:0119)	6 Mar 202600:00	–	nessus
Tenable Nessus	Linux Distros Unpatched Vulnerability : CVE-2025-45768	18 Aug 202500:00	–	nessus
Amazon	Medium: python-jwt	5 Mar 202600:00	–	amazon
Circl	CVE-2025-45768	30 Jul 202501:53	–	circl
CNNVD	pyjwt 安全漏洞	31 Jul 202500:00	–	cnnvd

04 Sep 2025 03:30Current

7High risk

Vulners AI Score7

CVSS 3.17

EPSS0.00153

SSVC

jwt library weak encryption key length control supplier dispute application chooses