Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-32597 is a vulnerability in PyJWT versions prior to 2.12.0 where the library fails to properly validate the 'crit' (Critical) header parameter in JSON Web Signature (JWS) tokens as required by RFC 7515 §4.1.11."}, {'type': 'paragraph', 'content': "The 'crit' header lists extensions that must be understood and processed by the recipient. If any listed extensions are unknown, the token must be rejected. However, PyJWT incorrectly accepts tokens containing unknown critical extensions instead of rejecting them, violating this mandatory requirement."}, {'type': 'paragraph', 'content': "This means that tokens with unknown critical extensions (e.g., a custom extension like 'x-custom-policy') are accepted by PyJWT, potentially allowing attackers to bypass security controls that rely on these critical extensions."}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to security policy bypasses in systems using PyJWT for token validation.'}, {'type': 'list_item', 'content': 'It can cause split-brain verification where some components (like an API gateway) reject a token due to unknown critical extensions, but PyJWT accepts it in the backend, leading to inconsistent security enforcement.'}, {'type': 'list_item', 'content': "Attackers can exploit this to bypass critical security policies enforced via the 'crit' header extensions, such as multi-factor authentication (MFA), token binding, or scope restrictions."}, {'type': 'list_item', 'content': 'Specifically, token binding bypasses can silently undermine Proof-of-Possession semantics, weakening the integrity of authentication mechanisms.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by analyzing JSON Web Tokens (JWTs) processed by PyJWT versions prior to 2.12.0 to check if tokens containing a `crit` header with unknown critical extensions are accepted instead of rejected.'}, {'type': 'paragraph', 'content': 'A practical detection method involves capturing JWT tokens and inspecting their headers for the presence of a `crit` array listing extensions that PyJWT does not support.'}, {'type': 'paragraph', 'content': 'For example, you can decode JWT tokens on your system or network using command-line tools or scripts to extract and examine the `crit` header parameter.'}, {'type': 'list_item', 'content': "Use `jq` or similar JSON parsing tools to decode JWT headers: `echo <token> | cut -d '.' -f1 | base64 -d | jq '.'`"}, {'type': 'list_item', 'content': 'Look for the `crit` field in the decoded header and check if it contains unknown extensions (e.g., `"x-custom-policy"`).'}, {'type': 'list_item', 'content': 'Test token acceptance by PyJWT 2.8.0 or earlier by attempting to decode tokens with unknown critical extensions and observing if they are accepted without error.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade PyJWT to version 2.12.0 or later, where the vulnerability is fixed by proper validation of the `crit` header parameter.

If upgrading is not immediately possible, implement additional validation in your application to reject JWT tokens containing unknown critical extensions in the `crit` header.

Ensure that your JWT verification logic enforces the RFC 7515 requirement that all critical extensions listed in the `crit` header are understood and present.

Consider using alternative libraries that correctly enforce `crit` header validation, such as jwcrypto, until the PyJWT upgrade can be applied.

Useful 0 Not Useful 0