CVE-2024-53861 Overview
CVE-2024-53861 is a vulnerability in PyJWT, a popular JSON Web Token implementation in Python. The vulnerability stems from an incorrect string comparison used for issuer (iss) claim validation, which can result in improper acceptance of tokens with mismatched issuer values. This bug was introduced in version 2.10.0 when the issuer checking logic changed from isinstance(issuer, list) to isinstance(issuer, Sequence).
Critical Impact
Applications using PyJWT 2.10.0 may incorrectly validate JWT tokens with partial issuer string matches, potentially leading to denial of service scenarios. While signature checks remain intact limiting real-world exploitation, the improper validation undermines authentication integrity.
Affected Products
- PyJWT version 2.10.0
- Applications using PyJWT 2.10.0 for JWT validation with issuer claim verification
- Python-based authentication systems relying on PyJWT issuer validation
Discovery Timeline
- 2024-11-29 - CVE-2024-53861 published to NVD
- 2025-09-22 - Last updated in NVD database
Technical Details for CVE-2024-53861
Vulnerability Analysis
This vulnerability represents an Input Validation Error (CWE-697: Incorrect Comparison) in PyJWT's issuer claim verification logic. The issue arises from a type-checking change that inadvertently altered how string comparisons are performed during JWT validation.
In version 2.10.0, the issuer validation check was modified from isinstance(issuer, list) to isinstance(issuer, Sequence). Since Python's str type is a Sequence but not a list, this change causes the code to use the in operator for string comparison instead of the intended equality check (!=). This results in substring matching rather than exact string comparison.
For example, when validating an issuer claim, the code performs if "abc" not in "__abcd__" instead of the correct if "abc" != "__abc__". This means a token with issuer "acb" would be incorrectly accepted when the expected issuer is "_abc_" if any substring match occurs.
While signature verification remains functional, this validation bypass could allow attackers to craft tokens that pass issuer validation when they shouldn't, potentially leading to denial of service or authentication confusion in affected applications.
Root Cause
The root cause is a type coercion issue in Python's type system. When the code changed to check isinstance(issuer, Sequence), it failed to account for the fact that str is also a Sequence type in Python. This caused the validation logic to branch into the wrong code path, using the in operator (which performs substring matching for strings) instead of the equality operator (!=).
Attack Vector
The attack is network-accessible and can be exploited remotely without authentication. An attacker can craft a JWT token with a carefully chosen issuer claim value that would pass substring validation against the expected issuer. While the cryptographic signature must still be valid, this could allow an attacker to bypass issuer validation in scenarios where:
- Multiple issuers share common substrings
- Applications rely on issuer validation for tenant isolation
- Token routing or processing decisions depend on issuer matching
The following patch shows the fix applied to correct the issuer validation logic:
if "iss" not in payload:
raise MissingRequiredClaimError("iss")
- if isinstance(issuer, Sequence):
- if payload["iss"] not in issuer:
+ if isinstance(issuer, str):
+ if payload["iss"] != issuer:
raise InvalidIssuerError("Invalid issuer")
else:
- if payload["iss"] != issuer:
+ if payload["iss"] not in issuer:
raise InvalidIssuerError("Invalid issuer")
Source: GitHub Commit Changes
Detection Methods for CVE-2024-53861
Indicators of Compromise
- JWT tokens being accepted with issuer values that are substrings of the expected issuer
- Authentication logs showing unexpected issuer values passing validation
- Anomalous patterns in JWT iss claims that partially match configured issuers
- Application logs indicating successful token validation with issuer values that should have been rejected
Detection Strategies
- Monitor application logs for JWT validation events and audit issuer claim values against expected configurations
- Implement dependency scanning to identify PyJWT version 2.10.0 in your software inventory
- Review authentication telemetry for tokens with issuer values that appear to be partial string matches
- Deploy runtime application security monitoring to detect abnormal JWT validation patterns
Monitoring Recommendations
- Enable verbose logging for JWT validation operations to capture issuer claim details
- Set up alerts for authentication events where issuer validation succeeds with non-exact matches
- Monitor Python package versions across deployed applications using software composition analysis tools
- Track authentication metrics for anomalous patterns in multi-tenant environments relying on issuer-based routing
How to Mitigate CVE-2024-53861
Immediate Actions Required
- Upgrade PyJWT to version 2.10.1 or later immediately to resolve the vulnerability
- Audit all applications using PyJWT 2.10.0 to assess exposure
- Review authentication logs for any evidence of exploitation or anomalous issuer values
- Implement additional application-level issuer validation as a defense-in-depth measure until patching is complete
Patch Information
The vulnerability has been patched in PyJWT version 2.10.1. The fix correctly handles the type checking by explicitly checking for str type first, ensuring that string issuers use equality comparison while sequences (lists, tuples) use membership checking. All users are strongly advised to upgrade to version 2.10.1 or later.
For detailed patch information, refer to the GitHub Security Advisory GHSA-75c5-xw7c-p5pm and the associated commit fix.
Workarounds
- There are no known workarounds for this vulnerability according to the security advisory
- Upgrading to PyJWT 2.10.1 is the only recommended remediation
- As a temporary measure, consider implementing additional application-level issuer validation using explicit string equality checks
- Downgrading to a version prior to 2.10.0 may be considered if upgrading is not immediately possible, though this is not officially recommended
# Upgrade PyJWT to the patched version
pip install --upgrade pyjwt>=2.10.1
# Verify the installed version
pip show pyjwt | grep Version
# Check for vulnerable versions in requirements
pip list | grep -i pyjwt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
