pyjwt: Algorithm Confusion via JSON Web Key Allows JWT Forgery

A vulnerability in pyjwt allows an attacker to forge JWTs when the verifier is configured with both symmetric and asymmetric algorithms and passes a raw-JSON JWK as the key. The library's protection against algorithm confusion only checks PEM/SSH keys, not JSON Web Keys, enabling HMAC signing with the public key.

Applications using pyjwt that pass a JSON Web Key (JWK) as the key and allow both HMAC and asymmetric algorithms in the same decode call.

Update pyjwt to the latest patched version and ensure verifiers do not mix symmetric and asymmetric algorithms in the same call; avoid passing raw-JSON JWKs as keys.