CVE-2024-53861

LOW2.2EPSS 1.0%

PyJWT Issuer field partial matches allowed

Published: 12/2/2024Modified: 2/4/2026
Also known as:GHSA-75c5-xw7c-p5pmCGA-29jx-3fvh-5p5g

Description

### Summary The wrong string if check is run for `iss` checking, resulting in `"acb"` being accepted for `"_abc_"`. ### Details This is a bug introduced in version [2.10.0](https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366): checking the "iss" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. ```diff - if isinstance(issuer, list): + if isinstance(issuer, Sequence): if payload["iss"] not in issuer: raise InvalidIssuerError("Invalid issuer") else: ``` Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if "abc" not in "__abcd__":` being checked instead of `if "abc" != "__abc__":`. ### PoC Check out the unit tests added here: https://github.com/jpadilla/pyjwt-ghsa-75c5-xw7c-p5pm ```python issuer = "urn:expected" payload = {"iss": "urn:"} token = jwt.encode(payload, "secret") # decode() succeeds, even though `"urn:" != "urn:expected". No exception is raised. with pytest.raises(InvalidIssuerError): jwt.decode(token, "secret", issuer=issuer, algorithms=["HS256"]) ``` ### Impact I would say the real world impact is not that high, seeing as the signature still has to match. We should still fix it.

Affected packages (1)

CVSS scores

SourceVersionSeverityVector
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
osvCVSS 3.1LOW2.2CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N

References (5)