Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/pyjwt@1.5.0
Typepypi
Namespace
Namepyjwt
Version1.5.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.12.0
Latest_non_vulnerable_version2.12.0
Affected_by_vulnerabilities
0
url VCID-d2zq-ad9y-ubbs
vulnerability_id VCID-d2zq-ad9y-ubbs
summary In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm.prepare_key` does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string `-----BEGIN RSA PUBLIC KEY-----` which is not accounted for. This enables symmetric/asymmetric key confusion attacks against users using the PKCS1 PEM encoded public keys, which would allow an attacker to craft JWTs from scratch.
references
0
reference_url https://github.com/advisories/GHSA-r9jw-mwhq-wp62
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-r9jw-mwhq-wp62
1
reference_url https://github.com/jpadilla/pyjwt
reference_id
reference_type
scores
url https://github.com/jpadilla/pyjwt
2
reference_url https://github.com/jpadilla/pyjwt/pull/277
reference_id
reference_type
scores
url https://github.com/jpadilla/pyjwt/pull/277
3
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2017-24.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2017-24.yaml
4
reference_url http://www.debian.org/security/2017/dsa-3979
reference_id
reference_type
scores
url http://www.debian.org/security/2017/dsa-3979
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-11424
reference_id CVE-2017-11424
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2017-11424
fixed_packages
0
url pkg:pypi/pyjwt@1.5.1
purl pkg:pypi/pyjwt@1.5.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gptc-c34t-g3e4
1
vulnerability VCID-pfq1-5wrt-a3cd
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pyjwt@1.5.1
aliases CVE-2017-11424, GHSA-r9jw-mwhq-wp62, PYSEC-2017-24
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-d2zq-ad9y-ubbs
1
url VCID-gptc-c34t-g3e4
vulnerability_id VCID-gptc-c34t-g3e4
summary PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 ยง4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.
references
0
reference_url https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f
1
reference_url https://lists.debian.org/debian-lts-announce/2026/05/msg00008.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://lists.debian.org/debian-lts-announce/2026/05/msg00008.html
fixed_packages
0
url pkg:pypi/pyjwt@2.12.0
purl pkg:pypi/pyjwt@2.12.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pyjwt@2.12.0
aliases CVE-2026-32597, GHSA-752w-5fwx-jx9f, PYSEC-2026-120
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gptc-c34t-g3e4
2
url VCID-pfq1-5wrt-a3cd
vulnerability_id VCID-pfq1-5wrt-a3cd
summary
references
0
reference_url https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc
reference_id
reference_type
scores
url https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc
1
reference_url https://github.com/jpadilla/pyjwt/releases/tag/2.4.0
reference_id
reference_type
scores
url https://github.com/jpadilla/pyjwt/releases/tag/2.4.0
2
reference_url https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24
reference_id
reference_type
scores
url https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24
3
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PK7IQCBVNLYJEFTPHBBPFP72H4WUFNX/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PK7IQCBVNLYJEFTPHBBPFP72H4WUFNX/
4
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HIYEYZRQEP6QTHT3EHH3RGFYJIHIMAO/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HIYEYZRQEP6QTHT3EHH3RGFYJIHIMAO/
5
reference_url https://security.archlinux.org/AVG-2781
reference_id AVG-2781
reference_type
scores
0
value Unknown
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2781
fixed_packages
0
url pkg:pypi/pyjwt@2.4.0
purl pkg:pypi/pyjwt@2.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-gptc-c34t-g3e4
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pyjwt@2.4.0
aliases CVE-2022-29217, GHSA-ffqj-6fqr-9h24, PYSEC-2022-202
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pfq1-5wrt-a3cd
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/pyjwt@1.5.0