High severity7.5NVD Advisory· Published Aug 24, 2017· Updated May 13, 2026

CVE-2017-11424

Description

In PyJWT 1.5.0 and below the invalid_strings check in HMACAlgorithm.prepare_key does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enables symmetric/asymmetric key confusion attacks against users using the PKCS1 PEM encoded public keys, which would allow an attacker to craft JWTs from scratch.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pyjwtPyPI	< 1.5.1	1.5.1

Affected products

Debian/Debian Linux2 versions
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Pyjwt Project/Pyjwt
cpe:2.3:a:pyjwt_project:pyjwt:*:*:*:*:*:*:*:*
Range: <=1.5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/jpadilla/pyjwt/pull/277nvdIssue TrackingPatchThird Party AdvisoryWEB
www.debian.org/security/2017/dsa-3979nvdThird Party AdvisoryWEB
github.com/advisories/GHSA-r9jw-mwhq-wp62ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-11424ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2017-24.yamlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000