Dependency PyJWT vulnerability issue CVE-2025-45768

[SamHoile]

Hi there,

CVE-2025-45768 indicates that all versions of PyJWT 'contain weak encryption'. It's disputed by PyJWT as the key length is set by the user/application. It's being flagged in SCA tests across all of our repos that use azure-opentelemetry and azure-identity.

Just wondering if msal uses PyJWT in any way that could be affected by this?

Thanks

[rayluo]

CVE-2025-45768 indicates that all versions of PyJWT 'contain weak encryption'. It's disputed by PyJWT as the key length is set by the user/application. It's being flagged in SCA tests across all of our repos that use azure-opentelemetry and azure-identity.

This was discussed here. jpadilla/pyjwt#1080 (comment)

Just wondering if msal uses PyJWT in any way that could be affected by this?

The issue was about the potential use of weak keys. It is ultimately on the application owner who provision their app keys. As long as strong keys are used (for example, >=2048bit), all the libraries in the tool chain use the strong key.