CVE-2022-39227

CRITICAL

Python-jwt < 3.3.4 - Authentication Bypass by Spoofing

Title source: rule

Description

python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds.

Exploits (2)

nomisec WORKING POC 22 stars

by user0x1337 · poc

https://github.com/user0x1337/CVE-2022-39227

View Code ZIP pw:eip

nomisec WORKING POC

by NoSpaceAvailable · poc

https://github.com/NoSpaceAvailable/CVE-2022-39227

View Code ZIP pw:eip

References (4)

[Patch] https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9

[Patch, Third Party Advisory] https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp

[Third Party Advisory] https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml

[Third Party Advisory] https://www.vicarius.io/vsociety/posts/authentication-bypass-in-python-jwt

Scores

CVSS v3 9.1

EPSS 0.7091

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-290

Status published

Products (2)

pypi/python-jwt 0 - 3.3.4PyPI

python-jwt_project/python-jwt 3.0.0 - 3.3.4

Published Sep 23, 2022

Tracked Since Feb 18, 2026