CVE-2022-39227 — python-jwt vulnerable to token forgery with new claims

Description

An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication.

How to fix CVE-2022-39227

To remediate CVE-2022-39227, upgrade the affected package to a fixed version below.

PyPI/python-jwt—upgrade to 3.3.4 or later
—upgrade to 88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9 or later

Is CVE-2022-39227 being exploited?

Likely — EPSS is 65.4%, placing CVE-2022-39227 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

from 0, < 3.3.4
>= f6d1451012c6a04c2fb1940f0bbd93bb6cf2b025, < 88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9 | >= 3.0.0, < 3.3.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-39227
PATCHgithub.com/davedoesdev/python-jwt
WEBgithub.com/davedoesdev/python-jwt/commit/6c5075469847b9e8b6e5336077d989d77a4d2bf1
WEBgithub.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9