Sushi-Gif

**Name of the Vulnerable Software and Affected Versions** PyJWT versions 2.9.0 through 2.12.1 **Description** A verifier-side algorithm allow-list bypass occurs when `jwt.decode()` or `jwt.decode complete()` are called with a PyJWK key. While the token header `alg` is checked against the provided algorithms allow-list, signature verification is performed using the algorithm bound to the PyJWK object rather than the header algorithm. This allows an attacker controlling a registered JWK/JWKS private key to sign a token with a disallowed algorithm and advertise an allowed algorithm in the JWT header to gain acceptance. This issue affects the `PyJWKClient.get signing key from jwt(...)` flow. **Recommendations** Update to version 2.13.0.