{"uuid": "0f3cbee2-3d9c-41ac-b0ea-8a46fdab0231", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-w7vc-732c-9m39", "type": "seen", "source": "https://gist.github.com/alon710/65e78fc78054322fc9a9e7b7f341ade1", "content": "# CVE-2026-48525: CVE-2026-48525: Uncontrolled Resource Consumption in PyJWT Detached JWS Verification\n\n> **CVSS Score:** 5.3\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-48525\n\n## Summary\nPyJWT versions 2.8.0 through 2.12.1 are vulnerable to an unauthenticated Denial of Service (DoS) attack. When verifying detached JSON Web Signatures (JWS) using the unencoded-payload option (RFC 7797, b64=false), the library eagerly decodes the payload segment before verifying the header configuration or the cryptographic signature. This behavior enables a remote, unauthenticated attacker to inject an arbitrarily large payload segment, triggering excessive CPU and memory resource consumption prior to signature validation.\n\n## TL;DR\nPyJWT eagerly decodes JWS payload segments before validating the b64=false header configuration, enabling an unauthenticated remote Denial of Service attack via large, dummy payload strings.\n\n## Technical Details\n\n- **CWE ID**: CWE-400\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 5.3 (Medium)\n- **Exploit Status**: PoC Analysis / None\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- PyJWT library installations\n- **PyJWT**: >= 2.8.0, <= 2.12.1 (Fixed in: `2.13.0`)\n\n## Mitigation\n\n- Upgrade to PyJWT version 2.13.0 or higher.\n- Limit the maximum size of incoming HTTP request headers at the web server or reverse proxy level.\n- Implement Web Application Firewall (WAF) rules to inspect and drop JWS payloads exceeding normal length thresholds.\n\n**Remediation Steps:**\n1. Identify all Python environments and requirements files referencing PyJWT.\n2. Update the dependency specification to require 'pyjwt>=2.13.0'.\n3. Rebuild container images and run dependency security scanning tools to verify the update.\n4. Deploy the updated application to production environments.\n\n## References\n\n- [GitHub Security Advisory](https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39)\n- [GitHub Fix Commit](https://github.com/jpadilla/pyjwt/commit/95791b1759b8aa4f2203575d344d5c78564cdc81)\n- [CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-48525)\n- [Wiz Vulnerability Database entry](https://www.wiz.io/vulnerability-database/cve/cve-2026-48525)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48525) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T19:41:20.000000Z"}