CVE-2022-29217
📋 TL;DR
This vulnerability in PyJWT allows attackers to forge JWT tokens by algorithm confusion when applications use the default algorithm list. It affects applications that use PyJWT with algorithms=jwt.algorithms.get_default_algorithms() for token verification, potentially enabling authentication bypass.
💻 Affected Systems
- PyJWT
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Pyjwt by Pyjwt Project
⚠️ Risk & Real-World Impact
Worst Case
Complete authentication bypass allowing attackers to impersonate any user, access privileged data, or perform unauthorized actions.
Likely Case
Authentication bypass for some users, potentially leading to unauthorized access to sensitive functionality.
If Mitigated
No impact if applications explicitly specify allowed algorithms or use the patched version.
🎯 Exploit Status
Attack requires submitting a malicious JWT token with algorithm confusion. Public exploit details exist in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.0
Vendor Advisory: https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24
Restart Required: No
Instructions:
1. Update PyJWT: pip install --upgrade pyjwt>=2.4.0
2. Verify installation: pip show pyjwt
3. Test JWT functionality remains working.
🔧 Temporary Workarounds
Explicit Algorithm Specification
allInstead of using get_default_algorithms(), explicitly specify the exact algorithms your application expects.
Replace algorithms=jwt.algorithms.get_default_algorithms() with algorithms=['HS256'] or your specific algorithm
🧯 If You Can't Patch
- Implement explicit algorithm validation in JWT decoding code
- Add additional signature verification checks outside PyJWT
🔍 How to Verify
Check if Vulnerable:
Check if your Python code uses algorithms=jwt.algorithms.get_default_algorithms() or similar broad algorithm lists in JWT.decode() calls.Check Version:
pip show pyjwt | grep VersionVerify Fix Applied:
Verify PyJWT version is 2.4.0 or higher and code uses explicit algorithm lists.📡 Detection & Monitoring
Log Indicators:
- Failed JWT validations with algorithm mismatch errors
- Unusual authentication patterns
Network Indicators:
- JWT tokens with unexpected algorithm headers
- Authentication attempts with malformed tokens
SIEM Query:
Search for JWT decode errors or authentication failures in application logs🔗 References
- https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc
- https://github.com/jpadilla/pyjwt/releases/tag/2.4.0
- https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5PK7IQCBVNLYJEFTPHBBPFP72H4WUFNX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HIYEYZRQEP6QTHT3EHH3RGFYJIHIMAO/
- https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc
- https://github.com/jpadilla/pyjwt/releases/tag/2.4.0
- https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5PK7IQCBVNLYJEFTPHBBPFP72H4WUFNX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6HIYEYZRQEP6QTHT3EHH3RGFYJIHIMAO/
- https://www.vicarius.io/vsociety/posts/risky-algorithms-algorithm-confusion-in-pyjwt-cve-2022-29217
