CVE-2026-48525

MEDIUM 5.3

PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b64=false, PyJWT later discards that decoded payload and replaces it with the caller-provided detached_payload. In practice, this turns the middle segment into an attacker-controlled “work amplifier”: a remote client can supply an arbitrarily large Base64URL payload segment that forces CPU work + memory allocations even if the signature is invalid. This creates an unauthenticated DoS vector against any endpoint that verifies detached JWS using PyJWT. This vulnerability is fixed in 2.13.0.

CWE	CWE-400
Vendor	jpadilla
Product	pyjwt
Published	May 28, 2026
Last Updated	May 28, 2026

Stay Ahead of the Next One

Get instant alerts for jpadilla pyjwt

Be the first to know when new medium vulnerabilities affecting jpadilla pyjwt are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Affected Versions

jpadilla / pyjwt

>= 2.8.0, < 2.13.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/jpadilla/pyjwt/security/advisories/GHSA-w7vc-732c-9m39