[SNYK] pyjwt@2.10.1 Improper Verification of Cryptographic Signature (High due 4/17/2026)

[exalate-issue-sync]

• Introduced through

  pyjwt@2.10.1 and github3.py@4.0.1

• Fixed in

  pyjwt@2.12.0

• Exploit maturity

  Proof of Concept

Show less detail

Detailed paths and remediation

• Introduced through: root@0.0.0 › pyjwt@2.10.1

  Fix: Upgrade pyjwt to version 2.12.0

• Introduced through: root@0.0.0 › github3.py@4.0.1 › pyjwt@2.10.1

  Fix: Pin pyjwt to version 2.12.0

Security information

Factors contributing to the scoring:

• Snyk: CVSS v4.0 8.7 - High Severity | CVSS v3.1 7.5 - High Severity
• NVD: Not available. NVD has not yet published its analysis.

Why are the scores different? Learn how Snyk evaluates vulnerability scores

Overview

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to improper validation of the crit header parameter. An attacker can bypass critical header checks by crafting a JSON Web Signature (JWS) token with unrecognized critical extensions.

QA Notes

Please test login after this ticket is implemented

DEV Notes

null

Design

null

See full ticket and images here: FECFILE-2961

Pull Request: #1940

[exalate-issue-sync]

Laura Beaufort commented: unit tests, E2E smoke tests, build successful - tested logging in to dev ✅

!Screenshot 2026-03-20 at 10.09.04 AM.png|width=617,alt="Screenshot 2026-03-20 at 10.09.04 AM.png"!

[exalate-issue-sync]

Shelly Wise commented: QA review verified visual inspection of unit tests, e2e smoke tests passing per DEV.

Moved to Stage Ready.