PyJWT 2.4.0–2.12.1 Unauthenticated DoS via Detached JWS (b64=false)

PyJWT versions 2.4.0 through 2.12.1 have an unauthenticated denial-of-service vulnerability when verifying detached JWS tokens with the unencoded-payload option (b64=false). The library decodes the Base64URL payload segment before checking if the payload is detached, allowing an attacker to supply an arbitrarily large payload segment that forces CPU work and memory allocation even if the signature is invalid.

Any application using PyJWT to verify detached JWS tokens (b64=false) without upstream body-size limits. Deployments with typical body-size caps (≤2 MB) are less exposed.

Apply a workaround: enforce strict max token length at the HTTP boundary, rate-limit verification endpoints, or reject tokens with b64=false if detached JWS is not needed. Upgrade to a patched version when available.