CVE-2026-48523— pyjwt 安全漏洞

PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys

PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode() or jwt.decode_complete() are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature verification is performed with the algorithm bound to the PyJWK object instead of the header algorithm. An attacker who controls a registered JWK/JWKS private key can sign with a disallowed algorithm, advertise an allowed algorithm in the JWT header, and still be accepted. The issue affects the documented PyJWKClient.get_signing_key_from_jwt(...) flow. This vulnerability is fixed in 2.13.0.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

密码学签名的验证不恰当

pyjwt 安全漏洞

pyjwt是美国José Padilla个人开发者的一个 Python 库。允许对 JSON Web 令牌（JWT）进行编码和解码。 pyjwt 2.9.0版本至2.12.1版本存在安全漏洞，该漏洞源于当使用PyJWK密钥调用jwt.decode()或jwt.decode_complete()时，验证器端算法允许列表被绕过，令牌头算法与调用者提供的算法允许列表进行比对，但签名验证使用绑定到PyJWK对象的算法而非头算法，导致攻击者可以使用不允许的算法签名，在JWT头中声明允许的算法，仍被接受。

N/A

N/A