Bug 2385868 (CVE-2025-45768) - CVE-2025-45768 pyjwt: pyjwt Weak Encryption Vulnerability
Summary: CVE-2025-45768 pyjwt: pyjwt Weak Encryption Vulnerability
Keywords:
Status: NEW
Alias: CVE-2025-45768
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2385904 2385905 2385906 2385907 2389943 2389944 2389946 2392912 2392913 2385902 2385903 2389945
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-07-31 21:01 UTC by OSIDB Bzimport
Modified: 2025-09-03 16:22 UTC (History)
93 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-07-31 21:01:54 UTC 
pyjwt v2.10.1 was discovered to contain weak encryption.
Comment 4 Oyvind Albrigtsen 2025-08-15 11:53:09 UTC 
Is there a patch available? The versions where it's fixed is only available on RHEL10.

Example from RHEL9.6:
# python3 -m pip download --no-binary :all: --no-deps PyJWT
Collecting PyJWT
  Downloading pyjwt-2.10.1.tar.gz (87 kB)
     |████████████████████████████████| 87 kB 6.7 MB/s             
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Saved ./pyjwt-2.10.1.tar.gz
Successfully downloaded PyJWT
Comment 5 Oyvind Albrigtsen 2025-08-28 12:23:26 UTC 
Correction. There is no fix available for RHEL10 either.
Note You need to log in before you can comment on or make changes to this bug.