Is any action required for CVE-2022-29217 (PyJWT security vulnerability)

[caarmen]

This security vulnerability, involving algorithms used for jwt, was recently reported: https://nvd.nist.gov/vuln/detail/CVE-2022-29217

It says:

The issue is not that big as algorithms=jwt.algorithms.get_default_algorithms() has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

Could somebody confirm that a drf project using drangorestframework-jwt isn't impacted if "JWT_ALGORITHM" is set to a specific value in the app settings.py as described in the djangorestframework-jwt documentation (HS256 in the example)?

I understand that the django-rest-framework-jwt project is no longer maintained, and that some alternatives include drf-jwt and djangorestframework-simplejwt.

[caarmen]

I'll attempt to answer my question 😄

Looks like djangorestframework-jwt does indeed apply the JWT_ALGORITHM setting inside its jwt_encode_handler and jwt_decode_handler functions.

Based on my understanding, if the setting is present, it should be ok.

But any confirmation is welcome :)

[tomchristie]

But any confirmation is welcome :)

Your summary of this appears correct to me as well.