Description
PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b64=false, PyJWT later discards that decoded payload and replaces it with the caller-provided detached_payload. In practice, this turns the middle segment into an attacker-controlled “work amplifier”: a remote client can supply an arbitrarily large Base64URL payload segment that forces CPU work + memory allocations even if the signature is invalid. This creates an unauthenticated DoS vector against any endpoint that verifies detached JWS using PyJWT. This vulnerability is fixed in 2.13.0.
Published: 2026-05-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PyJWT versions 2.8.0 through 2.12.1 perform Base64URL decoding of the middle payload segment of detached JSON Web Signatures even when the payload is later ignored because the token is marked "b64": false. An attacker can supply an arbitrarily large encoding in that segment, causing the library to allocate memory and perform expensive decoding work. The operation fails fast if the signature is invalid, but the required CPU and memory consumption occur before validation, leading to a denial‑of‑service condition for any user who can send requests that include such tokens. This flaw is a classic input validation weakness and is classified as CWE‑400; the unchecked decoding of a potentially unlimited payload also represents an uncontrolled resource consumption flaw (CWE‑770).

Affected Systems

The affected product is the Python JSON Web Token library, PyJWT, released by jpadilla. Vulnerable releases are 2.8.0 through 2.12.1. All systems that import and use PyJWT for detached JWS verification and accept "b64": false payloads are impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. An EPSS score of <1% indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. An attacker can trigger the denial of service without authentication by sending a large Base64URL encoded segment to any endpoint that performs detached JWS verification with PyJWT. The attack does not require compromising other components; it merely exploits the library’s unchecked decoding logic.

Generated by OpenCVE AI on June 5, 2026 at 05:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PyJWT to version 2.13.0 or later, where the decoding step is removed for "b64": false tokens.
  • If an upgrade cannot be performed immediately, configure services to reject any JWS request that uses "b64": false or disable detached payload verification until the library is patched.
  • Implement a pre‑decode size check or limit the length of the payload segment to prevent excessive CPU and memory usage during token validation.

Generated by OpenCVE AI on June 5, 2026 at 05:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w7vc-732c-9m39 PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS
History

Fri, 05 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 01 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Pyjwt Project
Pyjwt Project pyjwt
CPEs cpe:2.3:a:pyjwt_project:pyjwt:*:*:*:*:*:*:*:*
Vendors & Products Pyjwt Project
Pyjwt Project pyjwt

Thu, 28 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Jpadilla
Jpadilla pyjwt
Vendors & Products Jpadilla
Jpadilla pyjwt

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b64=false, PyJWT later discards that decoded payload and replaces it with the caller-provided detached_payload. In practice, this turns the middle segment into an attacker-controlled “work amplifier”: a remote client can supply an arbitrarily large Base64URL payload segment that forces CPU work + memory allocations even if the signature is invalid. This creates an unauthenticated DoS vector against any endpoint that verifies detached JWS using PyJWT. This vulnerability is fixed in 2.13.0.
Title PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Jpadilla Pyjwt
Pyjwt Project Pyjwt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T15:59:19.219Z

Reserved: 2026-05-21T16:18:10.619Z

Link: CVE-2026-48525

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T16:16:29.533

Modified: 2026-06-01T17:45:15.763

Link: CVE-2026-48525

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T15:11:12Z

Links: CVE-2026-48525 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T06:00:06Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-770

    Allocation of Resources Without Limits or Throttling