QwikSec

Security Database

CVE

CWE

Training

CVE-2024-37568

Published: Jun 9, 2024

Modified: Nov 3, 2025

PUBLISHED

Description

lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/lepture/authlib/issues/654

FEDORA-2024-7cc9a030d9

vendor-advisory

FEDORA-2024-2e9c58d661

vendor-advisory

https://www.vicarius.io/vsociety/posts/algorithm-confusion-in-lepture-authlib-cve-2024-37568

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.