CVE-2024-53861 — Vulnetix

Try Vulnetix Request Demo

CVE-2024-53861 PUBLISHED CVSS 2.200000047683716 LOW

pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for `iss` checking, resulting in `"acb"` being accepted for `"_abc_"`. This is a bug introduced in version 2.10.0: checking the "iss" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if "abc" not in "__abcd__":` being checked instead of `if "abc" != "__abc__":`. Signature checks are still present so real world impact is likely limited to denial of service scenarios. This issue has been patched in version 2.10.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.

EPSS 1.02% · 77.1th percentile

Risk Scores

CVSS v3.1

2.200000047683716

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N

EPSS Score

1.02%

77.1th percentile

Affected Products

Vendor	Product	Versions
pyjwt_project	pyjwt	2.10.0
jpadilla	pyjwt	= 2.10.0
pyjwt_project	pyjwt	2.10.0
PyPI	PyJWT	2.10.0, 2.10.0

Timeline

Jan 21, 1970 Security Advisory
Nov 29, 2024 Coalition ESS Score
Nov 29, 2024 CVE Published
Nov 30, 2024 EPSS Score
Dec 2, 2024 Coalition ESS Score
Dec 2, 2024 CVE Updated
Dec 18, 2024 EPSS Score
Jan 3, 2025 EPSS Score
Jan 20, 2025 EPSS Score
Feb 5, 2025 EPSS Score
Feb 22, 2025 EPSS Score
Mar 10, 2025 EPSS Score

References

Open in Interactive Console →