CVE-2026-48525: Uncontrolled Resource Consumption in PyJWT Detached JWS Verification
Vulnerability ID: CVE-2026-48525
CVSS Score: 5.3
Published: 2026-06-15
PyJWT versions 2.8.0 through 2.12.1 are vulnerable to an unauthenticated Denial of Service (DoS) attack. When verifying detached JSON Web Signatures (JWS) using the unencoded-payload option (RFC 7797, b64=false), the library eagerly decodes the payload segment before verifying the header configuration or the cryptographic signature. This behavior enables a remote, unauthenticated attacker to inject an arbitrarily large payload segment, triggering excessive CPU and memory resource consumption prior to signature validation.
TL;DR
PyJWT eagerly decodes JWS payload segments before validating the b64=false header configuration, enabling an unauthenticated remote Denial of Service attack via large, dummy payload strings.
Technical Details
- CWE ID: CWE-400
- Attack Vector: Network (AV:N)
- CVSS Score: 5.3 (Medium)
- Exploit Status: PoC Analysis / None
- KEV Status: Not Listed
Affected Systems
- PyJWT library installations
-
PyJWT: >= 2.8.0, <= 2.12.1 (Fixed in:
2.13.0)
Code Analysis
Commit: 95791b1
Fix uncontrolled resource consumption when verifying detached JWS tokens using unencoded-payload option
Mitigation Strategies
- Upgrade to PyJWT version 2.13.0 or higher.
- Limit the maximum size of incoming HTTP request headers at the web server or reverse proxy level.
- Implement Web Application Firewall (WAF) rules to inspect and drop JWS payloads exceeding normal length thresholds.
Remediation Steps:
- Identify all Python environments and requirements files referencing PyJWT.
- Update the dependency specification to require 'pyjwt>=2.13.0'.
- Rebuild container images and run dependency security scanning tools to verify the update.
- Deploy the updated application to production environments.
References
Read the full report for CVE-2026-48525 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)