Fabianbadoi

Name of the Vulnerable Software and Affected Versions: pyjwt versions 2.10.0 through 2.10.0 Description: An incorrect string comparison is run for `iss` checking, resulting in `"acb"` being accepted for `" abc "`. This is a bug introduced in version 2.10.0, where the "iss" claim checking changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. Since str is a Sequence, but not a list, `in` is also used for string comparison, resulting in `if "abc" not in " abcd ":` being checked instead of `if "abc" != " abc ":`. Signature checks are still present, so the real-world impact is likely limited to denial of service scenarios. Recommendations: For pyjwt version 2.10.0, upgrade to version 2.10.1 to resolve the issue. As a temporary workaround, consider disabling the `iss` claim checking until a patch is available. Restrict access to the `iss` claim to minimize the risk of exploitation. Avoid using the `iss` claim in the affected API endpoint until the issue is resolved.