pyjwt is vulnerable to authentication bypass. The vulnerability exists because the library permits an attacker submitting a JWT token to choose which algorithms are used when signing in, enabling non-blocklisted, but weak public key formats to be supported in the authentication process allowing an attacker to perform unauthorized actions.
github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc
github.com/jpadilla/pyjwt/releases/tag/2.4.0
github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24
lists.fedoraproject.org/archives/list/[email protected]/message/5PK7IQCBVNLYJEFTPHBBPFP72H4WUFNX/
lists.fedoraproject.org/archives/list/[email protected]/message/6HIYEYZRQEP6QTHT3EHH3RGFYJIHIMAO/