Add advisory: python-jose algorithm confusion via DER keys (CVE-2024-33663 bypass)

[yugui923]

New advisory submission

New advisory for a JWT algorithm confusion attack in python-jose when RSA public keys are provided in DER (binary) format. This bypasses the incomplete fix for CVE-2024-33663 (GHSA-6c5p-j8vq-pqhj).

Note: The GHSA ID is a placeholder (GHSA-0000-0000-0002). Please assign a proper GHSA ID during review. The repository (mpdavis/python-jose) does not have private vulnerability reporting enabled, so this advisory is being submitted directly here.

Summary

• Package: python-jose (PyPI)
• Affected: all versions through 3.5.0 (no fix exists; project appears unmaintained)
• Related: CVE-2024-33663 (GHSA-6c5p-j8vq-pqhj)
• CWE: CWE-327 (Use of Broken Crypto Algorithm), CWE-345 (Insufficient Verification of Data Authenticity)
• CVSS v3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 — Critical)
• CVSS v4.0: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability details

The fix for CVE-2024-33663 (PR #369) added key format checks for PEM (is_pem_format()) and SSH (is_ssh_key()) formats in the HMAC key constructors, but did not cover DER-encoded keys. DER-encoded asymmetric keys pass both checks and are accepted as HMAC secrets by CryptographyHMACKey and native HMACKey.

Combined with the default algorithms=None parameter in jwt.decode(), which trusts the algorithm specified in the token header, an attacker who knows the RSA public key (from JWKS endpoints, certificates, etc.) can forge arbitrary JWT tokens signed with HS256 using the DER public key bytes as the HMAC secret. This enables authentication bypass and privilege escalation.

Affected components

• jose/backends/cryptography_backend.py — CryptographyHMACKey.__init__
• jose/backends/native.py — HMACKey.__init__
• jose/jwt.py — jwt.decode()

Disclosure timeline

• 2026-02-17: Maintainer contacted via email
• 2026-03-05: No response after 14+ days; repository has no SECURITY.md and no private vulnerability reporting

References

• Original advisory (incomplete fix): GHSA-6c5p-j8vq-pqhj
• Source: https://github.com/mpdavis/python-jose
• RFC 7518 §3.2: https://tools.ietf.org/html/rfc7518#section-3.2

[yhidad31]

Hello @yugui923, thanks for bringing this to our attention. However, this is not the appropriate channel for reporting security vulnerabilities. To ensure your report is appropriately handled, please refer to Privately reporting a security vulnerability where there are instructions for repositories that don't have private vulnerability reporting enabled.

Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!