Safety vulnerability ID: 48542
The information on this page was manually curated by our Cybersecurity Intelligence Team.
PyJWT 2.4.0 includes a fix for CVE-2022-29217: An attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify 'jwt.algorithms.get_default_algorithms()' to get support for all algorithms, or specify a single algorithm. The issue is not that big as 'algorithms=jwt.algorithms.get_default_algorithms()' has to be used. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.
Latest version: 2.8.0
JSON Web Token implementation in Python
-----------------------------------------------------------------------
Security
~~~~~~~~
- [CVE-2022-29217] Prevent key confusion through non-blocklisted public key formats. https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24
Changed
~~~~~~~
- Explicit check the key for ECAlgorithm by estin in https://github.com/jpadilla/pyjwt/pull/713
- Raise DeprecationWarning for jwt.decode(verify=...) by akx in https://github.com/jpadilla/pyjwt/pull/742
Fixed
~~~~~
- Don't use implicit optionals by rekyungmin in https://github.com/jpadilla/pyjwt/pull/705
- documentation fix: show correct scope for decode_complete() by sseering in https://github.com/jpadilla/pyjwt/pull/661
- fix: Update copyright information by kkirsche in https://github.com/jpadilla/pyjwt/pull/729
- Don't mutate options dictionary in .decode_complete() by akx in https://github.com/jpadilla/pyjwt/pull/743
Added
~~~~~
- Add support for Python 3.10 by hugovk in https://github.com/jpadilla/pyjwt/pull/699
- api_jwk: Add PyJWKSet.__getitem__ by woodruffw in https://github.com/jpadilla/pyjwt/pull/725
- Update usage.rst by guneybilen in https://github.com/jpadilla/pyjwt/pull/727
- Docs: mention performance reasons for reusing RSAPrivateKey when encoding by dmahr1 in https://github.com/jpadilla/pyjwt/pull/734
- Fixed typo in usage.rst by israelabraham in https://github.com/jpadilla/pyjwt/pull/738
- Add detached payload support for JWS encoding and decoding by fviard in https://github.com/jpadilla/pyjwt/pull/723
- Replace various string interpolations with f-strings by akx in https://github.com/jpadilla/pyjwt/pull/744
- Update CHANGELOG.rst by hipertracker in https://github.com/jpadilla/pyjwt/pull/751
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application