PyJWT v2.10.1 CVE-2025-45768: Brief Summary of Weak Encryption Vulnerability

A brief summary of CVE-2025-45768, a weak encryption vulnerability in PyJWT v2.10.1. This post covers affected versions, technical details, and vendor security history based on available public sources.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-07-31

PyJWT v2.10.1 CVE-2025-45768: Brief Summary of Weak Encryption Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

JWT tokens are a core component of authentication and authorization in modern Python web applications. When a widely used library like PyJWT has a cryptographic flaw, the risk can extend to thousands of production systems. CVE-2025-45768 highlights a weak encryption vulnerability in PyJWT v2.10.1, raising concerns about the integrity and confidentiality of JWT-based authentication flows.

About PyJWT: PyJWT is the most popular Python implementation of the JSON Web Token standard (RFC 7519). It is maintained by José Padilla and the open source community, and is a dependency for many frameworks and libraries in the Python ecosystem.

Technical Information

CVE-2025-45768 is classified as a weak encryption vulnerability in PyJWT v2.10.1. The issue is tracked as CWE-311 (Missing Encryption of Sensitive Data). PyJWT supports several signing algorithms, including HMAC (HS256, HS384, HS512), RSA (RS256, RS384, RS512, PS256, PS384, PS512), ECDSA (ES256, ES256K, ES384, ES512), and EdDSA. The vulnerability may affect how PyJWT handles cryptographic operations or key management, but no public code snippet or root cause analysis is available as of this writing.

Previous PyJWT vulnerabilities have included algorithm confusion (CVE-2022-29217) and improper claim validation (CVE-2024-53861). These issues have typically involved insecure handling of the alg header or insufficient validation of JWT claims. The details of CVE-2025-45768 are not yet public, so it is unclear whether the flaw is in algorithm selection, key handling, or another cryptographic process.

No exploit details or proof of concept are available for this CVE.

Affected Systems and Versions

  • PyJWT version 2.10.1 is affected by CVE-2025-45768.
  • No other versions are explicitly mentioned as vulnerable in public sources.
  • No configuration-specific details are available.

Vendor Security History

PyJWT has experienced several notable vulnerabilities:

  • CVE-2022-29217: Algorithm confusion vulnerability in versions 1.5.0 through 2.3.0, allowing signature bypass under certain conditions.
  • CVE-2024-53861: Issuer claim validation bug in version 2.10.0, fixed in 2.10.1.

The maintainers have generally responded quickly to reported issues, but the project has seen recurring cryptographic implementation flaws. PyJWT relies on the cryptography package for its crypto operations, and its documentation emphasizes secure usage patterns, such as explicitly specifying allowed algorithms.

References

Detect & fix
what others miss