Vulnerabilities found in PyJWT back in 2015

Question

Just wanted to confirm something related to Flask-JWT using PyJWT library. Back in 2015 (https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/) vulnerability issue was found with PyJWT.

I'm not sure if that has been fixed now for Flask-JWT or still have to do a work around? Can't find much information out there.

Does anyone know anything about this?

A maintained library won't have vulnerability left for 2 years. — Tatsuyuki Ishi, Apr 27 '17 at 09:04
That's the thing! last commit for flask-jwt on github was two years ago! so not sure — GeekOnGadgets, Apr 27 '17 at 09:05
It is maintained. Is your Google broken? https://github.com/jpadilla/pyjwt — Tatsuyuki Ishi, Apr 27 '17 at 09:06

score 4 · Accepted Answer · answered Apr 27 '17 at 09:13

4

The original Flask-JWT library is no longer maintained, and for any reason you shouldn't use such libraries unless there's no alternative.

It seems the PyJWT library that it depends already has the fix, and Flask-JWT specifies a sufficient version in the dependency.

Anyway, here's an up-to-date alternative that I found: https://github.com/vimalloc/flask-jwt-extended

answered Apr 27 '17 at 09:13

Tatsuyuki Ishi

@GeekOnGadgets I would appreciate you accepting the answer if this helps. – Tatsuyuki Ishi Apr 27 '17 at 09:26

1 Answers1