CVE-2022-39227

Name of the Vulnerable Software and Affected Versions python-jwt versions prior to 3.3.4

Description The issue allows an attacker who obtains a JSON Web Token (JWT) to arbitrarily forge its contents without knowing the secret key. This may enable the attacker to spoof other users' identities, hijack their sessions, or bypass authentication. The vulnerability is caused by an inconsistency between the JWT parsers used by python-jwt and its dependency jwcrypto.

Recommendations For python-jwt versions prior to 3.3.4, upgrade to version 3.3.4 to resolve the issue. As a temporary workaround, consider restricting the use of the verify jwt function until a patch is available. Avoid using the python-jwt module for authentication until the issue is resolved. There are no known workarounds other than upgrading to the fixed version.