AVID-2026-R1122

Description

Python-jwt subject to Authentication Bypass by Spoofing (CVE-2022-39227)

Details

python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user’s identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds.

Reason for inclusion in AVID: CVE-2022-39227 describes a critical authentication bypass vulnerability in the python-jwt library (versions <3.3.4). This library is commonly used in Python-based systems, including AI/ML services for token-based authentication in model serving, APIs, and data pipelines. As a dependency affecting software used to build/deploy/run general-purpose AI systems, it constitutes a software supply chain issue within AI stacks. The vulnerability is explicitly security-related (authentication bypass with high impact) and the report provides concrete details and references, supporting AVID curation.

References

• NVD entry
• https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp
• https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9
• https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml
• https://www.vicarius.io/vsociety/posts/authentication-bypass-in-python-jwt

Affected or Relevant Artifacts

• Developer: davedoesdev
• Deployer: davedoesdev
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-09-23
• Version: 0.3.3
• AVID Entry