EUVD-2026-11728
GHSA-752w-5fwx-jx9f
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4Description
PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.
Analysis
PyJWT versions before 2.12.0 fail to validate the 'crit' (Critical) header parameter in JSON Web Signatures (JWS), accepting tokens with unrecognized critical extensions instead of rejecting them as required by RFC 7515. This allows attackers to potentially bypass security mechanisms by injecting malicious critical extensions that the library ignores, leading to integrity compromise. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems and applications using PyJWT and identify versions prior to 2.12.0. Within 7 days: Prioritize testing PyJWT 2.12.0+ in non-production environments and establish upgrade timeline for affected systems. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today