SecBoard
Zurück zur CVE-Übersicht

CVE-2026-49852

NONE
Risk Signal Score10/100 — NIEDRIG
  • Weniger als 24 Stunden alt

Beschreibung

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. Prior to 1.6.8, joserfc.jwt.decode accepts attacker-forged HMAC-signed tokens when the caller-supplied verification key is the empty string or None, because HMACAlgorithm.sign and HMACAlgorithm.verify in src/joserfc/_rfc7518/jws_algs.py pass the output of OctKey.get_op_key(...) to hmac.new(...) and OctKey.import_key in src/joserfc/_rfc7518/oct_key.py only emits a SecurityWarning for keys shorter than 14 bytes without rejecting zero-length input. This issue is fixed in version 1.6.8.

GitHub Advisories

GHSA-gg9x-qcx2-xmrhHIGH

joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (cross-language sibling of CVE-2026-45363)

pip/joserfc1.6.8
GitHub Advisory

Referenzen