Executive Summary

This vulnerability exists in PyJWT versions 2.8.0 to 2.12.1 when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797). PyJWT performs Base64URL decoding of the payload segment before enforcing detached-payload rules, but then discards the decoded payload and replaces it with the caller-provided detached_payload. This allows an attacker to supply an arbitrarily large Base64URL payload segment that forces excessive CPU work and memory allocation, even if the signature is invalid.

Effectively, the middle segment of the token becomes a "work amplifier" controlled by the attacker, creating an unauthenticated denial-of-service (DoS) vector against any endpoint verifying detached JWS tokens using PyJWT.

This vulnerability was fixed in PyJWT version 2.13.0.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in PyJWT allows unauthenticated denial-of-service (DoS) attacks by forcing excessive CPU and memory usage during token verification. While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, such a DoS vulnerability can impact the availability and reliability of systems processing sensitive data.

Disruptions caused by DoS attacks may hinder an organization's ability to maintain continuous access to protected data or services, which could indirectly affect compliance with regulations that require availability and integrity of data and services.

However, there is no direct information provided about specific impacts on compliance with GDPR, HIPAA, or other standards in the provided context.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for the presence of detached JWS tokens with the "b64=false" header being processed by PyJWT versions 2.8.0 to 2.12.1. Specifically, look for tokens where the middle payload segment is unusually large, as this is the attack vector causing excessive CPU and memory usage.

To detect exploitation attempts or vulnerable usage, you can:

• Inspect logs or network traffic for detached JWS tokens with the "b64=false" header.
• Monitor CPU and memory usage spikes on services using PyJWT for token verification.
• Apply rate limiting or reject tokens with "b64=false" if not needed.

While no specific commands are provided in the resources, you can use tools like grep or jq to search logs for suspicious tokens, for example:

• grep -r 'b64": false' /path/to/logs
• Use network capture tools (e.g., tcpdump, Wireshark) to filter for HTTP requests containing detached JWS tokens and analyze the payload size.
• Monitor system resource usage with commands like top, htop, or ps to detect unusual CPU or memory consumption spikes during token verification.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited by a remote attacker to cause a denial-of-service (DoS) condition on systems that verify detached JWS tokens using vulnerable versions of PyJWT.

By sending a specially crafted token with a large Base64URL payload segment, the attacker can force the system to perform excessive CPU and memory operations, potentially leading to resource exhaustion and service unavailability.

Since the attack does not require authentication, it can be launched by anyone able to send tokens to the affected endpoint.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade PyJWT to version 2.13.0 or later, where the issue is fixed.

Useful 0 Not Useful 0