AVID-2026-R1561

Description

Issuer field partial matches allowed in pyjwt (CVE-2024-53861)

Details

pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for iss checking, resulting in "acb" being accepted for "_abc_". This is a bug introduced in version 2.10.0: checking the “iss” claim changed from isinstance(issuer, list) to isinstance(issuer, Sequence). Since str is a Sequnce, but not a list, in is also used for string comparison. This results in if "abc" not in "__abcd__": being checked instead of if "abc" != "__abc__":. Signature checks are still present so real world impact is likely limited to denial of service scenarios. This issue has been patched in version 2.10.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Reason for inclusion in AVID: CVE-2024-53861 describes a vulnerability in pyjwt, a Python library commonly used in AI/ML service stacks for handling authentication tokens. This is a software supply chain issue because pyjwt is a dependency that can be part of AI deployment pipelines (model serving, API security, etc.). It is a security vulnerability (miscomparison in iss check) with potential DoS impact, and a patch exists (2.10.1). The report references CVE details and advisories confirming scope and remediation.

References

• NVD entry
• https://github.com/jpadilla/pyjwt/security/advisories/GHSA-75c5-xw7c-p5pm
• https://github.com/jpadilla/pyjwt/commit/1570e708672aa9036bc772476beae8bfa48f4131#diff-6893ad4a1c5a36b8af3028db8c8bc3b62418149843fc382faf901eaab008e380R366
• https://github.com/jpadilla/pyjwt/commit/33022c25525c1020869c71ce2a4109e44ae4ced1

Affected or Relevant Artifacts

• Developer: jpadilla
• Deployer: jpadilla
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-11-29
• Version: 0.3.3
• AVID Entry