Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-48525— PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS

CVSS 5.3 · Medium EPSS 0.04% · P12

Affected Version Matrix 1

VendorProductVersion RangeStatus
jpadillapyjwt>= 2.8.0, < 2.13.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-48525

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS
Source: NVD (National Vulnerability Database)
Vulnerability Description
PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b64=false, PyJWT later discards that decoded payload and replaces it with the caller-provided detached_payload. In practice, this turns the middle segment into an attacker-controlled “work amplifier”: a remote client can supply an arbitrarily large Base64URL payload segment that forces CPU work + memory allocations even if the signature is invalid. This creates an unauthenticated DoS vector against any endpoint that verifies detached JWS using PyJWT. This vulnerability is fixed in 2.13.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Source: NVD (National Vulnerability Database)
Vulnerability Title
pyjwt 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
pyjwt是美国José Padilla个人开发者的一个 Python 库。允许对 JSON Web 令牌(JWT)进行编码和解码。 PyJWT 2.8.0版本至2.12.1版本存在安全漏洞,该漏洞源于在验证使用未编码有效载荷选项的分离JWS令牌时,PyJWT在强制执行分离有效载荷规则之前对紧凑序列化有效载荷段进行Base64URL解码,导致远程客户端可以提供任意大的Base64URL有效载荷段,即使签名无效也会强制CPU工作和内存分配,造成未经验证的拒绝服务攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
jpadillapyjwt >= 2.8.0, < 2.13.0 -

II. Public POCs for CVE-2026-48525

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-48525

登录查看更多情报信息。

Vendor Advisories for CVE-2026-48525 (1)

Same Patch Batch · jpadilla · 2026-05-28 · 5 CVEs total

CVE-2026-485267.4 HIGHPyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed famil
CVE-2026-485235.4 MEDIUMPyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys
CVE-2026-485224.2 MEDIUMPyJWKClient: missing scheme allowlist enables SSRF + token forgery via file://, ftp://, da
CVE-2026-485243.7 LOWPyJWT: PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (Do

IV. Related Vulnerabilities

Same product: pyjwt
Same vendor: jpadilla
Same weakness: CWE-400

V. Comments for CVE-2026-48525

No comments yet

Leave a comment