Source: pyjwt Version: 2.11.0-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for pyjwt. CVE-2026-32597[0]: | PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, | PyJWT does not validate the crit (Critical) Header Parameter defined | in RFC 7515 ยง4.1.11. When a JWS token contains a crit array listing | extensions that PyJWT does not understand, the library accepts the | token instead of rejecting it. This violates the MUST requirement in | the RFC. This vulnerability is fixed in 2.12.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-32597 https://www.cve.org/CVERecord?id=CVE-2026-32597 [1] https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f [2] https://github.com/jpadilla/pyjwt/commit/051ea341b5573fe3edcd53042f347929b92c2b92 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
