CVE-2025-61152 – Apache Python-Jose JWT Signature Verification Bypass

CVE ID : CVE-2025-61152

Published : Oct. 10, 2025, 2:15 p.m. | 22 minutes ago

Description : python-jose thru 3.3.0 allows JWT tokens with ‘alg=none’ to be decoded and accepted without any cryptographic signature verification. A malicious actor can craft a forged token with arbitrary claims (e.g., is_admin=true) and bypass authentication checks, leading to privilege escalation or unauthorized access in applications that rely on python-jose for token validation. This issue is exploitable unless developers explicitly reject ‘alg=none’ tokens, which is not enforced by the library.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…