10 matches found
CVE-2022-29217
CVE-2022-29217 affects the Python PyJWT library (jwt handling for RFC 7519). The root cause is algorithm confusion when decoding tokens if the application does not restrict accepted algorithms; allowing unintended verification behavior across signing algorithms. The issue is mitigated by upgradin...
CVE-2024-53861
CVE-2024-53861 (pyjwt) : A defect in pyjwt caused by changing the iss check from a list-inclusive approach to a Sequence-based isinstance check; since str is a Sequence, the code may incorrectly evaluate string containment and permit certain values (e.g., "abc" in "abcd "), effectively altering t...
CVE-2026-32597
PyJWT prior to 2.12.0 does not validate the crit header (RFC 7515 §4.1.11). If a JWS contains a crit array with extensions PyJWT cannot understand, the library accepts the token instead of rejecting it, violating the MUST requirement. This CVE affects PyJWT and is fixed in version 2.12.0. Remedia...
CVE-2017-11424
CVE-2017-11424 affects PyJWT 1.5.0 and earlier, where the invalid_strings check in HMACAlgorithm.prepare_key fails to account for all PEM public-key formats (notably PKCS1 PEM prefixed with -----BEGIN RSA PUBLIC KEY-----), enabling key confusion attacks that could let an attacker craft JWTs from ...
CVE-2026-48526
PyJWT (Python) prior to 2.13.0 did not validate the use of JSON Web Keys in HMAC verification, allowing an attacker to use the issuer public key as the HMAC secret during token verification. This could enable forging tokens when mixing RS/EC/JWK and HS algorithms. The issue is fixed in PyJWT 2.13...
CVE-2026-48523
PyJWT vulnerability affecting versions 2.9.0–2.12.1 where verifier-side algorithm allow-list bypass occurs when decoding with a PyJWK/PyJWKClient key. The token header’s alg is checked against the caller-supplied allow-list, but the signature is verified using the algorithm bound to the PyJWK obj...
CVE-2026-48522
PyJWKClient in PyJWT prior to 2.13.0 passes its uri argument directly to urllib.request.urlopen(), allowing attacker-controlled jku URLs to trigger SSRF and related token-forgery scenarios via file://, ftp://, or data: schemes. Affected component: PyJWKClient (Python). Root cause: lack of a schem...
CVE-2025-45768
CVE-2025-45768 : PyJWT 2.10.1 is reported to have weak encryption; supplier disputes note that key length is chosen by the app using the library. The IBM bulletin for Watson Discovery Cartridge (ICP Discover) cites PyJWT-2.10.1 as affected and recommends upgrading to Watson Discovery Cartridge 5....
CVE-2026-48525
PyJWT (Python) versions 2.8.0–2.12.1 expose an unauthenticated DoS when verifying detached JWS with the unencoded-payload option (b64: false, RFC 7797). PyJWT decodes the middle payload segment for detached-payload verification, then discards it and replaces it with the caller-provided detached_p...
CVE-2026-48524
CVE-2026-48524 affects PyJWT prior to 2.13.0. The issue is in PyJWKClient.get_signing_key(), which can force a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since the kid is from an unverified token header, an attacker can trigger unlimite...