{"url":"http://public2.vulnerablecode.io/api/packages/27746?format=json","purl":"pkg:pypi/pyjwt@1.5.3","type":"pypi","namespace":"","name":"pyjwt","version":"1.5.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.12.0","latest_non_vulnerable_version":"2.12.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37236?format=json","vulnerability_id":"VCID-gptc-c34t-g3e4","summary":"PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.","references":[{"reference_url":"https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2026/05/msg00008.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://lists.debian.org/debian-lts-announce/2026/05/msg00008.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/48755?format=json","purl":"pkg:pypi/pyjwt@2.12.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyjwt@2.12.0"}],"aliases":["CVE-2026-32597","GHSA-752w-5fwx-jx9f","PYSEC-2026-120"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gptc-c34t-g3e4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/3191?format=json","vulnerability_id":"VCID-pfq1-5wrt-a3cd","summary":"","references":[{"reference_url":"https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc"},{"reference_url":"https://github.com/jpadilla/pyjwt/releases/tag/2.4.0","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jpadilla/pyjwt/releases/tag/2.4.0"},{"reference_url":"https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PK7IQCBVNLYJEFTPHBBPFP72H4WUFNX/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PK7IQCBVNLYJEFTPHBBPFP72H4WUFNX/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HIYEYZRQEP6QTHT3EHH3RGFYJIHIMAO/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HIYEYZRQEP6QTHT3EHH3RGFYJIHIMAO/"},{"reference_url":"https://security.archlinux.org/AVG-2781","reference_id":"AVG-2781","reference_type":"","scores":[{"value":"Unknown","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2781"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/27760?format=json","purl":"pkg:pypi/pyjwt@2.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gptc-c34t-g3e4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyjwt@2.4.0"}],"aliases":["CVE-2022-29217","GHSA-ffqj-6fqr-9h24","PYSEC-2022-202"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pfq1-5wrt-a3cd"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/pyjwt@1.5.3"}