CVE-2025-45768 identifies a vulnerability in the pyjwt library version 2.10.1, which is a widely used Python library for encoding and decoding JSON Web Tokens (JWTs). The reported issue concerns weak encryption practices within the library. Specifically, the vulnerability relates to the cryptographic strength of the keys used during JWT signing and verification. The supplier disputes the claim, stating that the key length is determined by the application using the library rather than the library itself, implying that the vulnerability arises from improper key management by implementers rather than an inherent flaw in pyjwt. However, the lack of enforced minimum key length or strict cryptographic policies within the library means that applications using weak keys are susceptible to cryptographic attacks. The vulnerability is classified under CWE-311, which relates to the use of insufficiently protected credentials or cryptographic keys. The CVSS v3.1 score is 7.0 (high severity), with vector metrics indicating a network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), low confidentiality and integrity impact (C:L, I:L), but high availability impact (A:H). This suggests that exploitation could lead to denial of service or disruption of availability, possibly through cryptographic failures or token forgery leading to service interruptions. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability highlights the importance of enforcing strong cryptographic key policies and possibly enhancing the library to provide minimum key length enforcement or warnings to prevent weak key usage.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on pyjwt for authentication and authorization in web applications, APIs, and microservices. Weak encryption keys can allow attackers to forge JWTs or disrupt token validation processes, potentially leading to unauthorized access, privilege escalation, or denial of service conditions. Given the high availability impact, critical services depending on JWT-based authentication could experience outages or degraded performance. This is particularly concerning for sectors such as finance, healthcare, and government services in Europe, where secure identity management is crucial. Additionally, the low confidentiality and integrity impact suggests that while data leakage or tampering might be limited, the disruption of service availability could have cascading effects on business operations and regulatory compliance, including GDPR requirements for data protection and service continuity. The lack of enforced cryptographic standards in the library increases the risk that less security-aware developers might deploy vulnerable configurations, amplifying the threat landscape.

European organizations should take a multi-layered approach to mitigate this vulnerability: 1) Audit all applications using pyjwt to verify the cryptographic key lengths and algorithms employed. Ensure keys meet strong cryptographic standards (e.g., minimum 256-bit keys for HMAC, or use of robust asymmetric algorithms). 2) Implement application-level enforcement of minimum key lengths and reject weak keys before passing them to pyjwt. 3) Monitor and log JWT validation failures and anomalies to detect potential exploitation attempts. 4) Engage with the pyjwt maintainers or community to advocate for library enhancements that enforce or warn about weak key usage, such as built-in minimum key length checks or configuration options for strict cryptographic policies. 5) Where possible, migrate to alternative JWT libraries that provide stronger default cryptographic enforcement or have active patching for this issue. 6) Educate developers and security teams about secure JWT usage and cryptographic best practices. 7) Prepare incident response plans for potential service disruptions caused by token forgery or validation failures. 8) Regularly update dependencies and monitor vulnerability disclosures for pyjwt and related libraries.