PyJWT Unauthenticated Denial-of-Service Vulnerability via Unbounded Base64URL Decoding in Detached JWS

A denial-of-service vulnerability has been identified in PyJWT, a JSON Web Token implementation in Python, affecting versions 2.8.0 through 2.12.1. The issue arises when verifying detached JWS tokens with the unencoded-payload option ('b64': false, RFC 7797). PyJWT decodes the payload segment before applying the detached-payload rules, allowing an attacker to send a large Base64URL payload that increases CPU usage and memory consumption, even with an invalid signature. This vulnerability creates an unauthenticated denial-of-service risk on endpoints that use PyJWT for detached JWS verification.

Impact

Exploitation of this vulnerability leads to unbounded CPU and memory consumption, causing resource exhaustion on the server. This can result in request queueing and worker starvation, disrupting normal application operations and causing delays in processing legitimate requests.

Reproduction

To reproduce this vulnerability, send a detached JWS token with the 'b64' header set to false. The token's payload segment should be inflated with a large amount of Base64URL-encoded data. When the token is processed by a server using PyJWT for verification, the library will decode the payload segment before checking the signature, leading to increased CPU and memory usage. This can be automated with a script that sends concurrent requests to the verification endpoint, simulating an attack.

Remediation

Users can upgrade to PyJWT version 2.13.0, where this vulnerability has been fixed. If detached JWS verification is not needed, tokens with 'b64' set to false can be rejected.