PatchSiren cyber security CVE debrief
CVE-2026-48525 jpadilla CVE debrief
A denial-of-service vulnerability exists in PyJWT versions 2.8.0 through 2.12.1 when processing detached JSON Web Signature (JWS) tokens with the unencoded-payload option (RFC 7797). The library unnecessarily decodes a Base64URL payload segment from the compact serialization before validating the signature and applying detached-payload rules. This allows unauthenticated remote attackers to force excessive CPU and memory consumption by submitting arbitrarily large payload segments, even when the signature is invalid. The vulnerability affects any endpoint verifying detached JWS tokens using PyJWT. The issue is resolved in version 2.13.0.
- Vendor
- jpadilla
- Product
- pyjwt
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-28
Who should care
Organizations running PyJWT 2.8.0-2.12.1 for JWS verification, particularly those exposing endpoints that accept detached JWS tokens from untrusted sources. This includes API gateways, authentication services, and any Python applications implementing JOSE (JSON Object Signing and Encryption) workflows with RFC 7797 unencoded payload support.
Technical summary
The vulnerability stems from PyJWT's processing order when handling detached JWS with the unencoded-payload option. Per RFC 7797, when 'b64' is false, the payload is not base64url-encoded and is conveyed separately from the JWS compact serialization. However, PyJWT 2.8.0-2.12.1 decodes the middle segment of the compact serialization as Base64URL before checking whether the token uses detached payload mode. This decoded value is later discarded and replaced with the caller-provided detached_payload, but the decoding operation has already consumed resources proportional to the attacker's input size. An attacker can craft a JWS with a valid header and signature but an extremely large middle segment, causing resource exhaustion on verification attempts regardless of signature validity. The fix in 2.13.0 reorders validation to enforce detached-payload rules before performing expensive decoding operations.
Defensive priority
medium
Recommended defensive actions
- Upgrade PyJWT to version 2.13.0 or later to eliminate the vulnerability
- If immediate patching is not feasible, implement input size limits on JWS tokens before passing to PyJWT verification
- Review application endpoints that verify detached JWS tokens and monitor for anomalous resource consumption
- Validate that any middleware or proxy layers enforce reasonable request size limits to mitigate amplification attacks
Evidence notes
CVE published 2026-05-28T16:16:29.533Z; modified 2026-05-28T18:03:16.223Z. CVSS 3.1 score 5.3 (MEDIUM). Affected versions: PyJWT 2.8.0 to 2.12.1. Fixed in 2.13.0. CWE-400 (Uncontrolled Resource Consumption).
Official resources
-
CVE-2026-48525 CVE record
CVE.org
-
CVE-2026-48525 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28