CVE-2022-39227
published 2022-09-23CVE-2022-39227: python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in…
PriorityP265critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
3.56%
87.9th percentile
python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| davedoesdev | python-jwt | < 3.3.4 | 3.3.4 |
| msrc | azl3_python-jwt_2.8.0-2_on_azure_linux_3.0 | — | — |
| msrc | cbl2_python-jwt_2.4.0-2_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_python-jwt_2.4.0-2_on_cbl_mariner_1.0 | — | — |
| python-jwt_project | python-jwt | >= 0 < 3.3.4 | 3.3.4 |
| python-jwt_project | python-jwt | >= 3.0.0 < 3.3.4 | 3.3.4 |
| python-jwt_project | python-jwt | >= 3.0.0 < 3.3.4 | 3.3.4 |
| python-jwt_project | python-jwt | >= f6d1451012c6a04c2fb1940f0bbd93bb6cf2b025 < 88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9 | 88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9 |
Detection & IOCsextracted from sources · hover to see the quote
command'{" ' + header + '.'+ fake_payload + '.":"","protected":"' + header + '", "payload":"' + payload + '","signature":"' + signature + '"}'↗
otherAuthorization: {" eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.<tampered_payload>.":"","protected":"eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9", "payload":"<original_payload>","signature":"<original_signature>"}↗
- →Detect CVE-2022-39227 exploit attempts by inspecting the Authorization header for a JWT-like value that begins with '{"' (a JSON object wrapping), which is the hallmark of the forged token structure used in this attack. ↗
- →Detect HAProxy ACL bypass (CVE-2023-45539, chained with CVE-2022-39227) by monitoring HTTP requests to protected endpoints that include a '#' fragment character in the URI path, e.g. GET /api/v1/get_ticket#. ↗
- →Detect JWT claim tampering by alerting on tokens where the payload contains a 'role' claim set to 'administrator' but the token structure is a JSON object containing 'protected', 'payload', and 'signature' keys rather than a standard dot-separated JWT string. ↗
- →The forged token preserves the original header and signature while substituting a tampered base64url-encoded payload; detection should flag Authorization header values matching the pattern: JSON object with keys 'protected', 'payload', 'signature' alongside a dot-separated JWT prefix. ↗
- →Flag python-jwt versions prior to 3.3.4 in software inventory as vulnerable; the library allows an attacker who obtains any valid JWT to forge arbitrary contents without the secret key. ↗
- ·The HAProxy ACL blocking /api/v1/get_ticket is bypassable via the '#' fragment; the ACL rule must also match URI variants with fragment characters to be effective. ↗
- ·python-jwt 3.3.3 (and all versions prior to 3.3.4) is the vulnerable version; upgrading to 3.3.4 is the only remediation — there are no known workarounds. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_msrc9.1CRITICAL
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
python-jwt vulnerable to token forgery with new claims
osv·2022-09-21
CVE-2022-39227 [CRITICAL] python-jwt vulnerable to token forgery with new claims
python-jwt vulnerable to token forgery with new claims
### Impact
An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication.
### Patches
Users should upgrade to version 3.3.4
Fixed by: https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9
### Workarounds
None
### References
Found by [Tom Tervoort]([email protected])
https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml
### More information
The vulnerability allows an attacker, who possesses a single valid JWT, to create a new token with forged claims that the verify_jwt
GHSA
python-jwt vulnerable to token forgery with new claims
ghsa·2022-09-21
CVE-2022-39227 [CRITICAL] CWE-290 python-jwt vulnerable to token forgery with new claims
python-jwt vulnerable to token forgery with new claims
### Impact
An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication.
### Patches
Users should upgrade to version 3.3.4
Fixed by: https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9
### Workarounds
None
### References
Found by [Tom Tervoort]([email protected])
https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml
### More information
The vulnerability allows an attacker, who possesses a single valid JWT, to create a new token with forged claims that the verify_jwt
OSV
CVE-2022-39227: An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key
osv·2022-09-01
CVE-2022-39227 CVE-2022-39227: An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key
An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication.
Red Hat
python-jwt: token forgery with new claims
vendor_redhat·2022-09-23·CVSS 9.1
CVE-2022-39227 [CRITICAL] CWE-290 python-jwt: token forgery with new claims
python-jwt: token forgery with new claims
python-jwt is a module for generating and verifying JSON Web Tokens. Versions prior to 3.3.4 are subject to Authentication Bypass by Spoofing, resulting in identity spoofing, session hijacking or authentication bypass. An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication. Users should upgrade to version 3.3.4. There are no known workarounds.
A flaw was found in python-jwt, where it was subject to Authentication Bypass vulnerability by spoofing, resulting in identity spoofing, session hijacking, or authentication bypass. This flaw allows an attacker who
Microsoft
Python-jwt subject to Authentication Bypass by Spoofing
vendor_msrc·2022-09-13·CVSS 9.1
CVE-2022-39227 [CRITICAL] CWE-290 Python-jwt subject to Authentication Bypass by Spoofing
Python-jwt subject to Authentication Bypass by Spoofing
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https:/
No detection rules found.
No public exploits indexed.
arXiv
Cybersecurity AI Benchmark (CAIBench): A Meta-Benchmark for Evaluating Cybersecurity AI Agents
arxiv_fulltext·2025-10-28
Cybersecurity AI Benchmark (CAIBench): A Meta-Benchmark for Evaluating Cybersecurity AI Agents
-1em
## Abstract
Cybersecurity spans multiple interconnected domains, complicating the development of meaningful, labor-relevant benchmarks. Existing benchmarks assess isolated skills rather than integrated performance. We find that pre-trained knowledge of cybersecurity in LLMs does not imply attack and defense abilities, revealing a gap between knowledge and capability. To address this limitation, we present the Cybersecurity AI Benchmark (CAIBench), a modular meta-benchmark framework that allows evaluating LLM models and agents across offensive and defensive cybersecurity domains, taking a step towards meaningfully measuring their labor-relevance. CAIBench integrates five evaluation categories, covering over 10,000 instances: Jeopardy-style CTFs, Attack and Defense CTFs, Cyber Range e
CTF
[Medium] LockTalk / README
ctf_writeups·2024·CVSS 9.1
[CRITICAL] [Medium] LockTalk / README
LockTalk
DDth Feb 2024
Challenge Author(s): **dhmosfunk**
### Description:
In "The Ransomware Dystopia," LockTalk emerges as a beacon of resistance against the rampant chaos inflicted by ransomware groups. In a world plunged into turmoil by malicious cyber threats, LockTalk stands as a formidable force, dedicated to protecting society from the insidious grip of ransomware. Chosen participants, tasked with representing their districts, navigate a perilous landscape fraught with ethical quandaries and treacherous challenges orchestrated by LockTalk. Their journey intertwines with the organization's mission to neutralize ransomware threats and restore order to a fractured world. As players confront internal struggles and external adversaries, their decisions shape the fate of not only
CTF
README
ctf_writeups·2024
README
# [__Challenges__](#challenges)
| Category | Name | Objective | Difficulty [⭐⭐⭐⭐⭐] |
|---------------|------------------------------------------------------------------------------------------|-------------------------------------------------------------------|-------------------------|
| **Crypto** | [Dynastic](crypto/%5BVery%20Easy%5D%20Dynastic) | Caesar Cipher with increasing shift | ⭐ |
| **Crypto** | [Makeshift](crypto/%5BVery%20Easy%5D%20Makeshift) | Reverse a simple custom "encryption" algorithm | ⭐ |
| **Crypto** | [Primary Knowledge](crypto/%5BVery%20Easy%5D%20Primary%20Knowledge) | RSA with prime n which makes retrieving d trivial | ⭐ |
| **Crypto** | [Blunt](crypto/%5BEasy%5D%20Blunt) | Numerically small p resulting in solving the DLP easily | ⭐⭐ |
| **Crypto** | [Iced Tea](cry
CTF
Web / LockTalk
ctf_writeups·2024·CVSS 9.1
CVE-2022-39227 [CRITICAL] Web / LockTalk
# LockTalk
## Enumeration
In this challenge we get a simple looking API:
However, trying to get a ticket is blocked by the HAProxy:
This can be observed in the provided source code:
From the source code, we can also see it using a python_jwt library version 3.3.3:
With a bit of googling we can find that it is vulnerable and we should be able to forge new claims:
There's even a helpful [POC](https://github.com/user0x1337/CVE-2022-39227):
And we know we need to forge an administrator token from the source code. This is important because usually you would think we need `admin`, but in this case we need `administrator`:
## Solution
Before we forge an administrator token we need a guest token. A bit of researching into HAProxy and bypasses, we find a helpful list here:
[https://gi
https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fphttps://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yamlhttps://www.vicarius.io/vsociety/posts/authentication-bypass-in-python-jwthttps://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fphttps://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yamlhttps://www.vicarius.io/vsociety/posts/authentication-bypass-in-python-jwt
2022-09-23
Published