CVE-2025-45768Missing Encryption of Sensitive Data in Project Pyjwt

CWE-311Missing Encryption of Sensitive Data5 documents5 sources
Severity
7.0HIGHNVD
EPSS
0.0%
top 85.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Pyjwt Project PyjwtDebian PyjwtMsrc Azl3 Python-jwt 2.8.0-1 ON Azure Linux 3.0+1 more
Timeline
PublishedJul 31

Description

pyjwt v2.10.1 was discovered to contain weak encryption. NOTE: this is disputed by the Supplier because the key length is chosen by the application that uses the library (admittedly, library users may benefit from a minimum value and a mechanism for opting in to strict enforcement).

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:HExploitability: 2.2 | Impact: 4.7

Affected Packages4 packages

debiandebian/pyjwt

🔴Vulnerability Details

2
OSV
CVE-2025-45768: pyjwt v22025-07-31
GHSA
GHSA-xpf8-484v-j9w6: pyjwt v22025-07-31

📋Vendor Advisories

2
Microsoft
pyjwt v2.10.1 was discovered to contain weak encryption. NOTE: this is disputed by the Supplier because the key length is chosen by the application that uses the library (admittedly, library users may2025-07-08
Debian
CVE-2025-45768: pyjwt - pyjwt v2.10.1 was discovered to contain weak encryption. NOTE: this is disputed ...2025