CVE-2026-48525
5.3 MEDIUMPyJWT is a JSON Web Token implementation in Python
Published: 2026-05-28 · Last updated: 2026-06-01
Severity and scoring
- CVSS
- 5.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
- CWE
- CWE-400
Affected products
| Vendor | Product |
|---|---|
| pyjwt_project | pyjwt |
Description
PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b64=false, PyJWT later discards that decoded payload and replaces it with the caller-provided detached_payload. In practice, this turns the middle segment into an attacker-controlled “work amplifier”: a remote client can supply an arbitrarily large Base64URL payload segment that forces CPU work + memory allocations even if the signature is invalid. This creates an unauthenticated DoS vector against any endpoint that verifies detached JWS using PyJWT. This vulnerability is fixed in 2.13.0.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-48526 — PyJWT is a JSON Web Token implementation in Python (7.4 HIGH)
- CVE-2026-48524 — PyJWT is a JSON Web Token implementation in Python (3.7 LOW)
- CVE-2026-48523 — PyJWT is a JSON Web Token implementation in Python (5.4 MEDIUM)
- CVE-2026-48522 — PyJWT is a JSON Web Token implementation in Python (4.2 MEDIUM)
Same CWE
- CVE-2026-47734 — Dulwich is a pure-Python implementation of the Git file formats and protocols (5.7 MEDIUM)
- CVE-2026-46689 — Kanidm is an identity management platform
- CVE-2026-46679 — libp2p is a JavaScript Implementation of libp2p networking stack (7.5 HIGH)
- CVE-2026-46522 — ImageMagick is free and open-source software used for editing and manipulating digital images (7.5 HIGH)
- CVE-2026-45783 — libp2p is a JavaScript Implementation of libp2p networking stack (7.5 HIGH)