CVE-2025-61152

Name of the Vulnerable Software and Affected Versions python-jose versions through 3.3.0

Description The software accepts JWT tokens with 'alg=none' without cryptographic signature verification. This allows a malicious actor to create forged tokens with arbitrary claims, potentially bypassing authentication checks and leading to privilege escalation or unauthorized access. The API endpoint is not specified. The vulnerable parameter is the JWT token itself. The vulnerable function is the token validation process.

Recommendations Versions prior to 3.3.1 should be updated.