Explore top 10 tips to secure your open-source projects now. Read More
×
It was discovered that PyJWT, a Python implementation of JSON web tokens insufficiently validated the "crit" header parameter, which could result in incomplete enforcement of authentication settings. For the oldstable distribution (bookworm), this problem has been fixed in version 2.6.0-1+deb12u1.. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6259-1
It was discovered that PyJWT, a Python implementation of JSON Web Token did not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC.. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4564-1
PyJWT could allow unintended access to network services.. ========================================================================== Ubuntu Security Notice USN-8133-1 March 30, 2026 pyjwt vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: PyJWT could allow unintended access to network services. Software Description: - pyjwt: Python 3 implementation of JSON Web Token Details: It was discovered that PyJWT did not validate the critical header parameter, contrary to the RFC specification expectations. A remote attacker could possibly use this issue to bypass certain authentication checks and restrictions. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 python3-jwt 2.10.1-2ubuntu0.1 Ubuntu 24.04 LTS python3-jwt 2.7.0-1ubuntu0.1 Ubuntu 22.04 LTS python3-jwt 2.3.0-1ubuntu0.3 Ubuntu 20.04 LTS python3-jwt 1.7.1-2ubuntu2.1+esm1 Available with Ubuntu Pro Ubuntu 18.04 LTS python-jwt 1.5.3+ds1-1ubuntu0.1+esm1 Available with Ubuntu Pro python3-jwt 1.5.3+ds1-1ubuntu0.1+esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS python-jwt 1.3.0-1ubuntu0.1+esm1 Available with Ubuntu Pro python3-jwt 1.3.0-1ubuntu0.1+esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8133-1 CVE-2026-32597 Package Information: https://launchpad.net/ubuntu/+source/pyjwt/2.10.1-2ubuntu0.1 https://launchpad.net/ubuntu/+source/pyjwt/2.7.0-1ubuntu0.1 https://launchpad.net/ubuntu/+source/pyjwt/2.3.0-1ubuntu0.3 . PyJWT allows unintended access to network services on Ubuntu. Update to secure versions to protect systems.. PyJWT update, Ubuntu security, authentication vulnerability. . LinuxSecurity.com Team
USN-5526-1 introduced a regression in PyJWT.. =========================================================================Ubuntu Security Notice USN-5526-2 August 17, 2022 pyjwt regression ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS Summary: USN-5526-1 introduced a regression in PyJWT. Software Description: - pyjwt: Python 3 implementation of JSON Web Token Details: USN-5526-1 fixed vulnerabilities in PyJWT. Unfortunately this caused a regression by incrementing the internal package version number on Ubuntu 22.04 LTS. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Aapo Oksman discovered that PyJWT incorrectly handled signatures constructed from SSH public keys. A remote attacker could use this to forge a JWT signature. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: python3-jwt 2.3.0-1ubuntu0.2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5526-2 https://ubuntu.com/security/notices/USN-5526-1 https://bugs.launchpad.net/ubuntu/+source/pyjwt/+bug/1986487 Package Information: https://launchpad.net/ubuntu/+source/pyjwt/2.3.0-1ubuntu0.2 . Ubuntu Security Advisory USN-5526-2 resolves an issue in PyJWT impacting Ubuntu 22.04 LTS.. Ubuntu Security Update, PyJWT Regression, Advisory Details. . LinuxSecurity.com Team
PyJWT could allow signature forgery.. =========================================================================Ubuntu Security Notice USN-5526-1 July 20, 2022 pyjwt vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: PyJWT could allow signature forgery. Software Description: - pyjwt: Python 3 implementation of JSON Web Token Details: Aapo Oksman discovered that PyJWT incorrectly handled signatures constructed from SSH public keys. A remote attacker could use this to forge a JWT signature. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: python3-jwt 2.3.0-1ubuntu0.1 Ubuntu 20.04 LTS: python3-jwt 1.7.1-2ubuntu2.1 Ubuntu 18.04 LTS: python-jwt 1.5.3+ds1-1ubuntu0.1 python3-jwt 1.5.3+ds1-1ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5526-1 CVE-2022-29217 Package Information: https://launchpad.net/ubuntu/+source/pyjwt/2.3.0-1ubuntu0.1 https://launchpad.net/ubuntu/+source/pyjwt/1.7.1-2ubuntu2.1 https://launchpad.net/ubuntu/+source/pyjwt/1.5.3+ds1-1ubuntu0.1 . Secure your Ubuntu installation by applying updates to fix the recent PyJWT signature forgery vulnerability across multiple versions and enhance protection.. PyJWT Security, Signature Forgery Fix, Ubuntu Update. . LinuxSecurity.com Team
It was discovered that PyJWT, a Python implementation of JSON Web Token performed insufficient validation of some public key types, which could allow a remote attacker to craft JWTs from scratch. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3979-1
Tim McLean discovered that pyjwt, a Python implementation of JSON Web Token, would try to verify an HMAC signature using an RSA or ECDSA public key as secret. This could allow remote attackers to trick applications expecting tokens signed with asymmetric keys, into accepting arbitrary . - ------------------------------------------------------------------------- Debian Security Advisory DSA-3293-1
Get the latest Linux and open source security news straight to your inbox.