CVE-2025-61152
BaseFortify
Publication date: 2025-10-10
Last updated on: 2025-11-25
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python-jose | python-jose | From 3.13.1 (inc) to 3.13.11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in python-jose versions up to 3.3.0 allows JWT tokens with the 'alg=none' algorithm to be decoded and accepted without any cryptographic signature verification. This means an attacker can create a forged token with arbitrary claims, such as is_admin=true, and bypass authentication checks in applications that use python-jose for token validation.
How can this vulnerability impact me? :
The vulnerability can lead to privilege escalation or unauthorized access because a malicious actor can forge tokens that bypass authentication. This compromises the security of applications relying on python-jose for JWT validation, potentially allowing attackers to gain elevated privileges or access sensitive data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that your application explicitly rejects JWT tokens with 'alg=none'. Update or patch python-jose to a version later than 3.3.0 where this issue is fixed, or implement additional verification to prevent acceptance of unsigned tokens.