CVE-2026-48525

描述

PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b64=false, PyJWT later discards that decoded payload and replaces it with the caller-provided detached_payload. In practice, this turns the middle segment into an attacker-controlled “work amplifier”: a remote client can supply an arbitrarily large Base64URL payload segment that forces CPU work + memory allocations even if the signature is invalid. This creates an unauthenticated DoS vector against any endpoint that verifies detached JWS using PyJWT. This vulnerability is fixed in 2.13.0.

受影響套件(2)

• Debian/pyjwtfrom 0
• PyPI/pyjwt>= 2.8.0, < 2.13.0

CVSS 分數

參考連結(2)

• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-48525
• EXPLOIThttps://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39