In EPEL 9, python-jwt is at version 2.4.0, which includes the fix for this CVE. python-jwt isn't in EPEL 8 because it is in RHEL 8 at version 1.6.1. RHEL maintainers decided not to fix the CVE there. In EPEL 7, python-jwt is at version 1.5.3. It is affected by this CVE, but if paid RHEL maintainers didn't think it was important enough to fix in RHEL 8 (which is still in Full Support phase), then I don't think it's justified for volunteer maintainers to try to fix this in EPEL 7. If someone wants to propose a backport to fix this, I'd be happy to re-open this bug and revisit this.