Vulnerability Description
python-jose thru 3.3.0 allows JWT tokens with 'alg=none' to be decoded and accepted without any cryptographic signature verification. A malicious actor can craft a forged token with arbitrary claims (e.g., is_admin=true) and bypass authentication checks, leading to privilege escalation or unauthorized access in applications that rely on python-jose for token validation. This issue is exploitable unless developers explicitly reject 'alg=none' tokens, which is not enforced by the library. NOTE: all parties agree that the issue is not relevant because it only occurs in a "verify_signature": False situation.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/javiermorales36/PoC-for-python-jose-alg-none-JWT-bypass-vulne
- https://github.com/mpdavis/python-jose/issues/391
- https://pypi.org/project/python-jose
FAQ
What is CVE-2025-61152?
CVE-2025-61152 is a vulnerability with a CVSS score of 6.5 (MEDIUM). python-jose thru 3.3.0 allows JWT tokens with 'alg=none' to be decoded and accepted without any cryptographic signature verification. A malicious actor can craft a forged token with arbitrary claims (...
How severe is CVE-2025-61152?
CVE-2025-61152 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-61152?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.