CVE-2026-48525: CWE-400: Uncontrolled Resource Consumption in jpadilla pyjwt
PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b64=false, PyJWT later discards that decoded payload and replaces it with the caller-provided detached_payload. In practice, this turns the middle segment into an attacker-controlled “work amplifier”: a remote client can supply an arbitrarily large Base64URL payload segment that forces CPU work + memory allocations even if the signature is invalid. This creates an unauthenticated DoS vector against any endpoint that verifies detached JWS using PyJWT. This vulnerability is fixed in 2.13.0.
AI Analysis
Technical Summary
PyJWT is a Python library for JSON Web Token handling. Between versions 2.8.0 and 2.12.1, when verifying detached JWS tokens using the unencoded-payload option (b64=false as per RFC 7797), PyJWT decodes the compact-serialization payload segment before applying detached-payload rules. This decoded payload is then discarded and replaced with the caller-provided detached_payload. However, this decoding step allows an attacker to supply an arbitrarily large Base64URL payload segment, causing excessive CPU and memory consumption. This vulnerability (CWE-400) can be exploited remotely without authentication to cause a denial-of-service condition. The vulnerability is addressed in PyJWT version 2.13.0.
Potential Impact
An unauthenticated remote attacker can cause PyJWT to perform excessive CPU and memory operations by supplying a large Base64URL payload segment in detached JWS verification with b64=false. This leads to denial-of-service conditions on affected systems. There is no impact on confidentiality or integrity, only availability is affected. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade PyJWT to version 2.13.0 or later, where this vulnerability is fixed. Patch status is confirmed by the vendor's versioning information. Until upgrading, avoid verifying detached JWS tokens with the unencoded-payload option (b64=false).
CVE-2026-48525: CWE-400: Uncontrolled Resource Consumption in jpadilla pyjwt
Description
PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b64=false, PyJWT later discards that decoded payload and replaces it with the caller-provided detached_payload. In practice, this turns the middle segment into an attacker-controlled “work amplifier”: a remote client can supply an arbitrarily large Base64URL payload segment that forces CPU work + memory allocations even if the signature is invalid. This creates an unauthenticated DoS vector against any endpoint that verifies detached JWS using PyJWT. This vulnerability is fixed in 2.13.0.
CVSS v3.1
Score 5.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
PyJWT is a Python library for JSON Web Token handling. Between versions 2.8.0 and 2.12.1, when verifying detached JWS tokens using the unencoded-payload option (b64=false as per RFC 7797), PyJWT decodes the compact-serialization payload segment before applying detached-payload rules. This decoded payload is then discarded and replaced with the caller-provided detached_payload. However, this decoding step allows an attacker to supply an arbitrarily large Base64URL payload segment, causing excessive CPU and memory consumption. This vulnerability (CWE-400) can be exploited remotely without authentication to cause a denial-of-service condition. The vulnerability is addressed in PyJWT version 2.13.0.
Potential Impact
An unauthenticated remote attacker can cause PyJWT to perform excessive CPU and memory operations by supplying a large Base64URL payload segment in detached JWS verification with b64=false. This leads to denial-of-service conditions on affected systems. There is no impact on confidentiality or integrity, only availability is affected. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade PyJWT to version 2.13.0 or later, where this vulnerability is fixed. Patch status is confirmed by the vendor's versioning information. Until upgrading, avoid verifying detached JWS tokens with the unencoded-payload option (b64=false).
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-21T16:18:10.619Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a186056e29bf47b500b42db
Added to database: 5/28/2026, 3:33:42 PM
Last enriched: 5/28/2026, 3:49:37 PM
Last updated: 5/28/2026, 10:52:36 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.