Improper Verification of Cryptographic Signature in PyJWT Module

PY531

improper_verification

CWE-347

⚠️ Warning

🔒 Professional Plan

---

This rule identifies instances where JSON Web Tokens (JWT) are used without verifying their signatures. JWTs are commonly used for secure data transmission between parties. However, if the signature is not verified, the token’s authenticity and integrity cannot be guaranteed, potentially allowing attackers to forge or tamper with the token.

Example

import jwt


def decode_jwt(token):
    payload = jwt.decode(token, options={"verify_signature": False})
    return payload

Remediation

Set the value of verify_signature to True or remove from the options dict argument since the default value is True.

import jwt


def decode_jwt(token):
    payload = jwt.decode(token, options={"verify_signature": True})
    return payload

False Positives

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY531) or rule category name (improper_verification).

Using rule ID

fix

import jwt


def decode_jwt(token):
    # suppress: PY531
    payload = jwt.decode(token, options={"verify_signature": False})
    return payload

Using category name

fix

import jwt


def decode_jwt(token):
    # suppress: improper_verification
    payload = jwt.decode(token, options={"verify_signature": False})
    return payload

See also

info

• PyJWT documentation
• RFC 8725 - JSON Web Token Best Current Practices
• CWE-347: Improper Verification of Cryptographic Signature