CVE-2024-53861
PyJWT Issuer field partial matches allowed
Description
### Summary The wrong string if check is run for `iss` checking, resulting in `"acb"` being accepted for `"_abc_"`. ### Details This is a bug introduced in version [2.10.0](https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366): checking the "iss" claim changed from `isinstance(issuer, list)` to `isinstance(issuer, Sequence)`. ```diff - if isinstance(issuer, list): + if isinstance(issuer, Sequence): if payload["iss"] not in issuer: raise InvalidIssuerError("Invalid issuer") else: ``` Since str is a Sequnce, but not a list, `in` is also used for string comparison. This results in `if "abc" not in "__abcd__":` being checked instead of `if "abc" != "__abc__":`. ### PoC Check out the unit tests added here: https://github.com/jpadilla/pyjwt-ghsa-75c5-xw7c-p5pm ```python issuer = "urn:expected" payload = {"iss": "urn:"} token = jwt.encode(payload, "secret") # decode() succeeds, even though `"urn:" != "urn:expected". No exception is raised. with pytest.raises(InvalidIssuerError): jwt.decode(token, "secret", issuer=issuer, algorithms=["HS256"]) ``` ### Impact I would say the real world impact is not that high, seeing as the signature still has to match. We should still fix it.
How to fix CVE-2024-53861
To remediate CVE-2024-53861, upgrade the affected package to a fixed version below.
- —upgrade to 2.10.1 or later
Is CVE-2024-53861 being exploited?
Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 2.10.0, < 2.10.1