Lucene search
K
Pyjwt ProjectPyjwt

10 matches found

CVE
CVE
added 2022/05/24 2:10 p.m.1058 views

CVE-2022-29217

CVE-2022-29217 affects the Python PyJWT library (jwt handling for RFC 7519). The root cause is algorithm confusion when decoding tokens if the application does not restrict accepted algorithms; allowing unintended verification behavior across signing algorithms. The issue is mitigated by upgradin...

7.5CVSS6.7AI score0.012EPSS
CVE
CVE
added 2024/11/29 6:43 p.m.303 views

CVE-2024-53861

CVE-2024-53861 (pyjwt) : A defect in pyjwt caused by changing the iss check from a list-inclusive approach to a Sequence-based isinstance check; since str is a Sequence, the code may incorrectly evaluate string containment and permit certain values (e.g., "abc" in "abcd "), effectively altering t...

7.5CVSS4.1AI score0.0081EPSS
CVE
CVE
added 2026/03/12 9:41 p.m.273 views

CVE-2026-32597

PyJWT prior to 2.12.0 does not validate the crit header (RFC 7515 §4.1.11). If a JWS contains a crit array with extensions PyJWT cannot understand, the library accepts the token instead of rejecting it, violating the MUST requirement. This CVE affects PyJWT and is fixed in version 2.12.0. Remedia...

7.5CVSS5.8AI score0.00269EPSS
CVE
CVE
added 2017/08/24 4:0 p.m.150 views

CVE-2017-11424

CVE-2017-11424 affects PyJWT 1.5.0 and earlier, where the invalid_strings check in HMACAlgorithm.prepare_key fails to account for all PEM public-key formats (notably PKCS1 PEM prefixed with -----BEGIN RSA PUBLIC KEY-----), enabling key confusion attacks that could let an attacker craft JWTs from ...

7.5CVSS7.2AI score0.01804EPSS
CVE
CVE
added 2026/05/28 3:9 p.m.141 views

CVE-2026-48526

PyJWT (Python) prior to 2.13.0 did not validate the use of JSON Web Keys in HMAC verification, allowing an attacker to use the issuer public key as the HMAC secret during token verification. This could enable forging tokens when mixing RS/EC/JWK and HS algorithms. The issue is fixed in PyJWT 2.13...

7.4CVSS5.8AI score0.00394EPSS
CVE
CVE
added 2026/05/28 3:10 p.m.111 views

CVE-2026-48523

PyJWT vulnerability affecting versions 2.9.0–2.12.1 where verifier-side algorithm allow-list bypass occurs when decoding with a PyJWK/PyJWKClient key. The token header’s alg is checked against the caller-supplied allow-list, but the signature is verified using the algorithm bound to the PyJWK obj...

5.4CVSS5.8AI score0.00127EPSS
CVE
CVE
added 2026/05/28 3:0 p.m.82 views

CVE-2026-48522

PyJWKClient in PyJWT prior to 2.13.0 passes its uri argument directly to urllib.request.urlopen(), allowing attacker-controlled jku URLs to trigger SSRF and related token-forgery scenarios via file://, ftp://, or data: schemes. Affected component: PyJWKClient (Python). Root cause: lack of a schem...

4.2CVSS6AI score0.00181EPSS
CVE
CVE
added 2025/07/31 12:0 a.m.80 views

CVE-2025-45768

CVE-2025-45768 : PyJWT 2.10.1 is reported to have weak encryption; supplier disputes note that key length is chosen by the app using the library. The IBM bulletin for Watson Discovery Cartridge (ICP Discover) cites PyJWT-2.10.1 as affected and recommends upgrading to Watson Discovery Cartridge 5....

7CVSS6.6AI score0.0016EPSS
CVE
CVE
added 2026/05/28 3:11 p.m.53 views

CVE-2026-48525

PyJWT (Python) versions 2.8.0–2.12.1 expose an unauthenticated DoS when verifying detached JWS with the unencoded-payload option (b64: false, RFC 7797). PyJWT decodes the middle payload segment for detached-payload verification, then discards it and replaces it with the caller-provided detached_p...

5.3CVSS5.8AI score0.00288EPSS
CVE
CVE
added 2026/05/28 3:7 p.m.50 views

CVE-2026-48524

CVE-2026-48524 affects PyJWT prior to 2.13.0. The issue is in PyJWKClient.get_signing_key(), which can force a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since the kid is from an unverified token header, an attacker can trigger unlimite...

3.7CVSS5.8AI score0.00222EPSS