CVE-2025-61152
📋 TL;DR
CVE-2025-61152 is a JWT authentication bypass vulnerability in python-jose that allows attackers to forge tokens with 'alg=none' and bypass signature verification. This enables privilege escalation and unauthorized access in applications using python-jose for JWT validation. Developers who use python-jose versions through 3.3.0 without explicitly rejecting 'alg=none' tokens are affected.
💻 Affected Systems
- python-jose
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through administrative privilege escalation, allowing attackers to access sensitive data, modify configurations, or execute arbitrary actions as authenticated users.
Likely Case
Unauthorized access to protected resources, user impersonation, and privilege escalation within applications relying on JWT authentication.
If Mitigated
No impact if applications explicitly reject 'alg=none' tokens or use proper signature verification.
🎯 Exploit Status
Public PoC available on GitHub. Exploitation requires ability to submit forged JWT tokens to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.0
Vendor Advisory: https://github.com/mpdavis/python-jose/issues/391
Restart Required: No
Instructions:
1. Update python-jose: pip install python-jose>=3.4.0
2. Verify no existing code sets 'verify_signature=False' without proper validation
3. Test JWT validation functionality after update
🔧 Temporary Workarounds
Explicitly reject alg=none tokens
allAdd validation to reject any JWT token with 'alg' parameter set to 'none' before processing
# Python code snippet:
import jwt
from jose import jwt as jose_jwt
def validate_token(token):
header = jwt.get_unverified_header(token)
if header.get('alg') == 'none':
raise ValueError('alg=none tokens are not allowed')
# Continue with normal validation
🧯 If You Can't Patch
- Implement application-level validation to reject all JWT tokens with 'alg=none' in the header.
- Use Web Application Firewall (WAF) rules to block requests containing 'alg=none' in JWT headers.
🔍 How to Verify
Check if Vulnerable:
Check python-jose version: pip show python-jose | grep Version. If version <= 3.3.0, check if application code validates 'alg' parameter or uses verify_signature=False.Check Version:
pip show python-jose | grep VersionVerify Fix Applied:
After updating to >=3.4.0, test with a forged 'alg=none' token to ensure it's rejected. Verify application authentication still works with valid signed tokens.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts with JWT tokens
- Unusual user privilege changes
- Authentication logs showing tokens with 'alg=none'
Network Indicators:
- HTTP requests containing JWT tokens in headers with 'alg=none'
- Unusual authentication patterns to protected endpoints
SIEM Query:
source="application_logs" AND ("alg=none" OR "verify_signature=False")