CVE-2022-29217

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-29217
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-29217.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-29217
Aliases
Downstream
Related
Published
2022-05-24T14:10:10Z
Modified
2025-12-04T10:20:35.415428Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Key confusion through non-blocklisted public key formats in PyJWT
Details

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify jwt.algorithms.get_default_algorithms() to get support for all algorithms, or specify a single algorithm. The issue is not that big as algorithms=jwt.algorithms.get_default_algorithms() has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-327"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/29xxx/CVE-2022-29217.json"
}
References

Affected packages

Git / github.com/jpadilla/pyjwt

Affected ranges

Type
GIT
Repo
https://github.com/jpadilla/pyjwt
Events
Introduced
908ee84aeefb8126a94e48e88ba9916d9d2512b3
Fixed
83ff831a4d11190e3a0bed781da43f8d84352653

Affected versions

1.*

1.5.0
1.5.1
1.5.2
1.5.3
1.6.0
1.6.1
1.6.3
1.6.4
1.7.0
1.7.1

2.*

2.0.0
2.0.0a1
2.0.0a2
2.0.1
2.1.0
2.2.0
2.3.0