CVE-2025-45768

pyjwt v2.10.1 was discovered to contain weak encryption. NOTE: this is disputed by the Supplier because the key length is chosen by the application that uses the library (admittedly, library users may benefit from a minimum value and a mechanism for opting in to strict enforcement).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
mitreCNA
---
---
CISA-ADPADP
7 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
VendorProductVersion
pyjwt_projectpyjwt
2.10.1
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
pyjwt
plucky
deferred
noble
deferred
jammy
deferred
focal
deferred
bionic
deferred
xenial
deferred
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://gist.github.com/ZupeiNie/6f65e564f2067b876321d3dfdbb76569
https://github.com/jpadilla
https://github.com/jpadilla/pyjwt