CVE-2026-48525 - Vulnerability Details

- PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS

Description

PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b64=false, PyJWT later discards that decoded payload and replaces it with the caller-provided detached_payload. In practice, this turns the middle segment into an attacker-controlled “work amplifier”: a remote client can supply an arbitrarily large Base64URL payload segment that forces CPU work + memory allocations even if the signature is invalid. This creates an unauthenticated DoS vector against any endpoint that verifies detached JWS using PyJWT. This vulnerability is fixed in 2.13.0.

Published: 2026-05-28

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

jpadilla

pyjwt

affected

Version	Status	Constraints
`>= 2.8.0, < 2.13.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:pyjwt_project:pyjwt:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Jpadilla

Pyjwt

100%

Version	Status	Scheme	Platform
`[2.8.0,2.13.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-w7vc-732c-9m39	PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00288.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39
https://nvd.nist.gov/vuln/detail/CVE-2026-48525
https://www.cve.org/CVERecord?id=CVE-2026-48525

History

Fri, 05 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-770
References		https://nvd.nist.gov/vuln/detail/CVE-2026-48525 https://www.cve.org/CVERecord?id=CVE-2026-48525
Metrics	threat_severity `None`	threat_severity `Moderate`

Mon, 01 Jun 2026 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pyjwt Project Pyjwt Project pyjwt
CPEs		cpe:2.3:a:pyjwt_project:pyjwt::::::::
Vendors & Products		Pyjwt Project Pyjwt Project pyjwt

Thu, 28 May 2026 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jpadilla Jpadilla pyjwt
Vendors & Products		Jpadilla Jpadilla pyjwt

Thu, 28 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b64=false, PyJWT later discards that decoded payload and replaces it with the caller-provided detached_payload. In practice, this turns the middle segment into an attacker-controlled “work amplifier”: a remote client can supply an arbitrarily large Base64URL payload segment that forces CPU work + memory allocations even if the signature is invalid. This creates an unauthenticated DoS vector against any endpoint that verifies detached JWS using PyJWT. This vulnerability is fixed in 2.13.0.
Title		PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS
Weaknesses		CWE-400
References		https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

Subscriptions

Jpadilla Pyjwt

Pyjwt Project Pyjwt

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-28T15:11:12.483Z

Updated: 2026-06-23T15:54:09.003Z

Reserved: 2026-05-21T16:18:10.619Z

Link: CVE-2026-48525

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-28T16:16:29.533

Modified: 2026-06-01T17:45:15.763

Link: CVE-2026-48525

Redhat

Severity : Moderate

Publid Date: 2026-05-28T15:11:12Z

Links: CVE-2026-48525 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-05T06:00:06Z

Weaknesses

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object