CVE-2024-53861

Name of the Vulnerable Software and Affected Versions: pyjwt versions 2.10.0 through 2.10.0

Description: An incorrect string comparison is run for iss checking, resulting in "acb" being accepted for " abc ". This is a bug introduced in version 2.10.0, where the "iss" claim checking changed from isinstance(issuer, list) to isinstance(issuer, Sequence). Since str is a Sequence, but not a list, in is also used for string comparison, resulting in if "abc" not in " abcd ": being checked instead of if "abc" != " abc ":. Signature checks are still present, so the real-world impact is likely limited to denial of service scenarios.

Recommendations: For pyjwt version 2.10.0, upgrade to version 2.10.1 to resolve the issue. As a temporary workaround, consider disabling the iss claim checking until a patch is available. Restrict access to the iss claim to minimize the risk of exploitation. Avoid using the iss claim in the affected API endpoint until the issue is resolved.