Protect your Python applications from JWT authentication bypasses. This guide details the crit header validation flaw (CVE-2026-32597), showing sysadmins exactly how to check, patch, or work around the issue on Debian Linux
Quick Intro & Historical Context
On May 9, 2026, the maintainers of the popular JSON Web Token (JWT) Python library, PyJWT, released a critical fix.
The vulnerability (CVE-2026-32597, CVSS score 7.5) allows attackers to bypass verification by simply adding a "crit" (critical) section with unknown extensions inside a token header.
This security hole existed in all versions of PyJWT released before March 2026.
From an operational standpoint, this means any token—even those using unknown or unsupported features—would be accepted without error. Attackers can silently disable important security policies (MFA, token binding, scopes) if the backend does not enforce a strict allowlist.
How to Check if You Are Vulnerable (Debian & Ubuntu)
Follow these steps to check your system:
1. Check which version of python3-jwt is installed.
For Debian-based systems (including Ubuntu):
# Check installed version via APT dpkg -l | grep python3-jwt # Or, check via pip (if installed via pip, not apt) pip3 show pyjwt | grep Version
2. Identify vulnerable versions.
- Vulnerable versions: < 2.12.0
- Patched Debian fixed versions (as of May 2026):
- Debian oldstable (bookworm) → 2.6.0-1+deb12u1 or higher
- Debian stable (trixie) → 2.10.1-2+deb13u1 or higher
If your version is lower than any of the above, your system is at immediate risk.
Automation Script to Apply the Fix (Bash for Debian)
Save the following as fix-pyjwt.sh, then run it with root privileges:
#!/bin/bash # fix-pyjwt.sh - Secure PyJWT on Debian Linux set -e echo "[INFO] Starting PyJWT security update script" # Update package indices apt update # Check if python3-jwt is installed if dpkg -l | grep -q python3-jwt; then echo "[INFO] python3-jwt found. Upgrading package." apt upgrade -y python3-jwt else echo "[INFO] python3-jwt not installed via APT. Checking pip..." if pip3 show pyjwt &>/dev/null; then echo "[INFO] PyJWT found via pip. Upgrading via pip." pip3 install --upgrade pyjwt else echo "[WARN] PyJWT not found. Installation may not be needed." fi fi # Final verification echo "[INFO] Verifying installed version..." if dpkg -l | grep -q python3-jwt; then dpkg -l | grep python3-jwt fi if pip3 show pyjwt &>/dev/null; then pip3 show pyjwt | grep Version fi echo "[SUCCESS] PyJWT upgrade completed. Consider restarting dependent services."
Buid you own Laboratory
Pro tip for building a lab environment – If you are a student or IT professional looking for a safe environment to test patching and mitigation strategies (like iptables or AppArmor) before applying them in production, a Raspberry Pi Lab Kit is the perfect tool.
→ [Build your own security testing lab with a Raspberry Pi starter kit adversiting ( https://amzn.to/4uEcQWr ).]
I earn a comission with you make a purchase.
Alternative Mitigation (If You Cannot Update Now)
If an immediate upgrade is not possible due to change management constraints, apply these temporary workarounds:
1. Enforce strict crit allowlist in code (application-level fix)
If you control the source code, add validation to reject unknown critical extensions
from jwt.exceptions import InvalidTokenError ALLOWED_CRIT = {"b64", "http://openid.net/specs/openid-connect-core-1_0.html#CriticalMetadata"} def validate_crit(headers): crit = headers.get("crit") if crit: for ext in crit: if ext not in ALLOWED_CRIT: raise InvalidTokenError(f"Unsupported critical extension: {ext}") # Call validate_crit before jwt.decode()
2. Block malicious token patterns with a Web Application Firewall
Deploy a WAF rule to reject tokens containing the "crit" header parameter entirely (since legitimate users rarely need it). Example for ModSecurity:
SecRule REQUEST_HEADERS:Authorization "@contains crit" \
"id:1001,phase:1,deny,status:403,log,msg:'PyJWT crit header blocked'"
3. Use an application proxy or sidecar filter
Place a lightweight validation proxy (e.g., Envoy, NGINX Lua script) in front of the vulnerable service to reject "crit"-bearing tokens before they reach the backend.
4. Isolate vulnerable services in a sandbox
Run the service with AppArmor or gVisor to restrict the impact of a successful authentication bypass:
# Example: Enforce an AppArmor profile for your Python service sudo aa-genprof /path/to/your/app.py sudo aa-enforce /path/to/your/app.py
Note that this reduces risk but does not fix the underlying flaw.
Conclusion
The "crit" bypass is a high‑severity flaw that undermines the entire authentication layer of Python applications. Delaying the fix could lead to silent privilege escalations, unauthorized data access, or compliance violations.
Your next step is clear:
1️⃣ Run the check script immediately.
2️⃣ Apply the automation patch (or a temporary mitigation).
3️⃣ Bookmark this guide – reuse it for every future JWT library review.
Nenhum comentário:
Postar um comentário