PT-2026-44395 · Pypi · Pyjwt
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
PyJWT versions 2.9.0 through 2.12.1
Description
A verifier-side algorithm allow-list bypass occurs when
jwt.decode() or jwt.decode complete() are called with a PyJWK key. While the token header alg is checked against the provided algorithms allow-list, signature verification is performed using the algorithm bound to the PyJWK object rather than the header algorithm. This allows an attacker controlling a registered JWK/JWKS private key to sign a token with a disallowed algorithm and advertise an allowed algorithm in the JWT header to gain acceptance. This issue affects the PyJWKClient.get signing key from jwt(...) flow.Recommendations
Update to version 2.13.0.
Exploit
Fix
Improper Verification of Cryptographic Signature
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pyjwt