PT-2026-44394 · Pypi · Pyjwt
CVSS v3.1
4.2
Medium
| Vector | AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
PyJWT versions prior to 2.13.0
Description
PyJWKClient passes the
uri argument directly to urllib.request.urlopen(), which utilizes the default OpenerDirector of the Python standard library. This allows the registration of HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler without a documented option to restrict the schemes being fetched. If an application accepts attacker-influenced URLs through the jku ingestion path, such as from a JWT header, configuration file, or OAuth flow parameter, an attacker can perform Server-Side Request Forgery (SSRF). This can lead to reading arbitrary local files via the file:// scheme, attempting FTP or data-URI fetches, or forging tokens that the library verifies as valid.Recommendations
Update to version 2.13.0.
Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Pyjwt