Skip to main content

Pyjwt

5 CVEs product

Monthly

CVE-2026-48526 PyPI HIGH POC PATCH GHSA This Week

Authentication bypass in PyJWT versions prior to 2.13.0 allows remote attackers to forge valid JSON Web Tokens by exploiting an algorithm confusion flaw where the library fails to validate that a JSON Web Key intended for asymmetric verification is not reused as an HMAC shared secret. An attacker who knows the issuer's public key (typically distributed openly via JWKS endpoints) can sign HMAC-algorithm tokens with that public key and have them accepted as legitimate. No public exploit identified at time of analysis, though the underlying algorithm-confusion class is a well-documented JWT attack pattern.

Python Authentication Bypass Pyjwt
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-32597 PyPI HIGH PATCH GHSA This Week

PyJWT versions before 2.12.0 fail to validate the 'crit' (Critical) header parameter in JSON Web Signatures (JWS), accepting tokens with unrecognized critical extensions instead of rejecting them as required by RFC 7515. This allows attackers to potentially bypass security mechanisms by injecting malicious critical extensions that the library ignores, leading to integrity compromise. With an EPSS score of only 0.01% and no KEV listing, this represents a low real-world exploitation risk despite the high CVSS score.

Information Disclosure Python Pyjwt
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2024-53861 PyPI HIGH POC PATCH This Week

pyjwt is a JSON Web Token implementation in Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Denial Of Service Pyjwt
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2022-29217 PyPI HIGH PATCH This Week

PyJWT is a Python implementation of RFC 7519. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Pyjwt Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2017-11424 PyPI HIGH PATCH This Week

In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm.prepare_key` does not account for all PEM encoded public keys. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Pyjwt Debian Linux
NVD GitHub
CVSS 3.0
7.5
EPSS
0.2%
EPSS 0% CVSS 7.4
HIGH POC PATCH This Week

Authentication bypass in PyJWT versions prior to 2.13.0 allows remote attackers to forge valid JSON Web Tokens by exploiting an algorithm confusion flaw where the library fails to validate that a JSON Web Key intended for asymmetric verification is not reused as an HMAC shared secret. An attacker who knows the issuer's public key (typically distributed openly via JWKS endpoints) can sign HMAC-algorithm tokens with that public key and have them accepted as legitimate. No public exploit identified at time of analysis, though the underlying algorithm-confusion class is a well-documented JWT attack pattern.

Python Authentication Bypass Pyjwt
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

PyJWT versions before 2.12.0 fail to validate the 'crit' (Critical) header parameter in JSON Web Signatures (JWS), accepting tokens with unrecognized critical extensions instead of rejecting them as required by RFC 7515. This allows attackers to potentially bypass security mechanisms by injecting malicious critical extensions that the library ignores, leading to integrity compromise. With an EPSS score of only 0.01% and no KEV listing, this represents a low real-world exploitation risk despite the high CVSS score.

Information Disclosure Python Pyjwt
NVD GitHub VulDB
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

pyjwt is a JSON Web Token implementation in Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Denial Of Service Pyjwt
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

PyJWT is a Python implementation of RFC 7519. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Pyjwt +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm.prepare_key` does not account for all PEM encoded public keys. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Pyjwt Debian Linux
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy