Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-53861

CVE-2024-53861: PyJWT Issuer Claim Validation DoS Flaw

CVE-2024-53861 is a denial of service vulnerability in PyJWT caused by incorrect issuer claim validation in version 2.10.0. This article covers the technical details, affected versions, and mitigation strategies.

Updated:

CVE-2024-53861 Overview

CVE-2024-53861 is a vulnerability in PyJWT, a popular JSON Web Token implementation in Python. The vulnerability stems from an incorrect string comparison used for issuer (iss) claim validation, which can result in improper acceptance of tokens with mismatched issuer values. This bug was introduced in version 2.10.0 when the issuer checking logic changed from isinstance(issuer, list) to isinstance(issuer, Sequence).

Critical Impact

Applications using PyJWT 2.10.0 may incorrectly validate JWT tokens with partial issuer string matches, potentially leading to denial of service scenarios. While signature checks remain intact limiting real-world exploitation, the improper validation undermines authentication integrity.

Affected Products

  • PyJWT version 2.10.0
  • Applications using PyJWT 2.10.0 for JWT validation with issuer claim verification
  • Python-based authentication systems relying on PyJWT issuer validation

Discovery Timeline

  • 2024-11-29 - CVE-2024-53861 published to NVD
  • 2025-09-22 - Last updated in NVD database

Technical Details for CVE-2024-53861

Vulnerability Analysis

This vulnerability represents an Input Validation Error (CWE-697: Incorrect Comparison) in PyJWT's issuer claim verification logic. The issue arises from a type-checking change that inadvertently altered how string comparisons are performed during JWT validation.

In version 2.10.0, the issuer validation check was modified from isinstance(issuer, list) to isinstance(issuer, Sequence). Since Python's str type is a Sequence but not a list, this change causes the code to use the in operator for string comparison instead of the intended equality check (!=). This results in substring matching rather than exact string comparison.

For example, when validating an issuer claim, the code performs if "abc" not in "__abcd__" instead of the correct if "abc" != "__abc__". This means a token with issuer "acb" would be incorrectly accepted when the expected issuer is "_abc_" if any substring match occurs.

While signature verification remains functional, this validation bypass could allow attackers to craft tokens that pass issuer validation when they shouldn't, potentially leading to denial of service or authentication confusion in affected applications.

Root Cause

The root cause is a type coercion issue in Python's type system. When the code changed to check isinstance(issuer, Sequence), it failed to account for the fact that str is also a Sequence type in Python. This caused the validation logic to branch into the wrong code path, using the in operator (which performs substring matching for strings) instead of the equality operator (!=).

Attack Vector

The attack is network-accessible and can be exploited remotely without authentication. An attacker can craft a JWT token with a carefully chosen issuer claim value that would pass substring validation against the expected issuer. While the cryptographic signature must still be valid, this could allow an attacker to bypass issuer validation in scenarios where:

  1. Multiple issuers share common substrings
  2. Applications rely on issuer validation for tenant isolation
  3. Token routing or processing decisions depend on issuer matching

The following patch shows the fix applied to correct the issuer validation logic:

python
         if "iss" not in payload:
             raise MissingRequiredClaimError("iss")

-        if isinstance(issuer, Sequence):
-            if payload["iss"] not in issuer:
+        if isinstance(issuer, str):
+            if payload["iss"] != issuer:
                 raise InvalidIssuerError("Invalid issuer")
         else:
-            if payload["iss"] != issuer:
+            if payload["iss"] not in issuer:
                 raise InvalidIssuerError("Invalid issuer")

Source: GitHub Commit Changes

Detection Methods for CVE-2024-53861

Indicators of Compromise

  • JWT tokens being accepted with issuer values that are substrings of the expected issuer
  • Authentication logs showing unexpected issuer values passing validation
  • Anomalous patterns in JWT iss claims that partially match configured issuers
  • Application logs indicating successful token validation with issuer values that should have been rejected

Detection Strategies

  • Monitor application logs for JWT validation events and audit issuer claim values against expected configurations
  • Implement dependency scanning to identify PyJWT version 2.10.0 in your software inventory
  • Review authentication telemetry for tokens with issuer values that appear to be partial string matches
  • Deploy runtime application security monitoring to detect abnormal JWT validation patterns

Monitoring Recommendations

  • Enable verbose logging for JWT validation operations to capture issuer claim details
  • Set up alerts for authentication events where issuer validation succeeds with non-exact matches
  • Monitor Python package versions across deployed applications using software composition analysis tools
  • Track authentication metrics for anomalous patterns in multi-tenant environments relying on issuer-based routing

How to Mitigate CVE-2024-53861

Immediate Actions Required

  • Upgrade PyJWT to version 2.10.1 or later immediately to resolve the vulnerability
  • Audit all applications using PyJWT 2.10.0 to assess exposure
  • Review authentication logs for any evidence of exploitation or anomalous issuer values
  • Implement additional application-level issuer validation as a defense-in-depth measure until patching is complete

Patch Information

The vulnerability has been patched in PyJWT version 2.10.1. The fix correctly handles the type checking by explicitly checking for str type first, ensuring that string issuers use equality comparison while sequences (lists, tuples) use membership checking. All users are strongly advised to upgrade to version 2.10.1 or later.

For detailed patch information, refer to the GitHub Security Advisory GHSA-75c5-xw7c-p5pm and the associated commit fix.

Workarounds

  • There are no known workarounds for this vulnerability according to the security advisory
  • Upgrading to PyJWT 2.10.1 is the only recommended remediation
  • As a temporary measure, consider implementing additional application-level issuer validation using explicit string equality checks
  • Downgrading to a version prior to 2.10.0 may be considered if upgrading is not immediately possible, though this is not officially recommended
bash
# Upgrade PyJWT to the patched version
pip install --upgrade pyjwt>=2.10.1

# Verify the installed version
pip show pyjwt | grep Version

# Check for vulnerable versions in requirements
pip list | grep -i pyjwt

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.