pyjwt v2.10.1 was discovered to contain weak encryption. NOTE: this is disputed by the Supplier because the key length is chosen by the application that uses the library (admittedly, library users may benefit from a minimum value and a mechanism for opting in to strict enforcement). — CVE-2025-45768

Summary

Advisory CVE-2025-45768. pyjwt v2.10.1 was discovered to contain weak encryption. NOTE: this is disputed by the Supplier because the key length is chosen by the… Vendor: Microsoft. Source: MSRC. Threat: high. CVSS 7. See the official…

What to do

General, cautious steps (verify details in the official source):

• Prioritize patching or mitigation immediately (treat as actively risky).
• Identify affected product versions in your inventory and verify whether you are impacted.
• Apply vendor patches/updates or recommended mitigations as soon as available.
• Read the official advisory for exact affected versions and remediation steps.

Official advisory

Read the official source

Related advisories

• <vuln:Note Title="FAQ" Type="FAQ" Ordinal="10">&lt;p&gt;&lt;strong&gt;Is Azure Linux the only Microsoft product that inc CVE-2025-24294
• A possible assertion failure when 'stale-answer-client-timeout' is set to '0' CVE-2025-40777
• ACPICA: Refuse to evaluate a method if arguments are missing CVE-2025-38386
• af_unix: Don't leave consecutive consumed OOB skbs. CVE-2025-38236
• ALSA: usb-audio: Kill timer properly at removal CVE-2025-38105
• Apache HTTP Server: HTTP response splitting CVE-2024-42516
• Apache HTTP Server: HTTP/2 DoS by Memory Increase CVE-2025-53020
• Apache HTTP Server: mod_proxy_http2 denial of service CVE-2025-49630
• Apache HTTP Server: mod_ssl error log variable escaping CVE-2024-47252
• Apache HTTP Server: mod_ssl TLS upgrade attack CVE-2025-49812
• Apache HTTP Server: SSRF with mod_headers setting Content-Type header CVE-2024-43204
• arm64/fpsimd: Discard stale CPU state when handling SME traps CVE-2025-38170