Update dependency pyjwt to v2.13.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pyjwt	2.12.1 → 2.13.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)

CVE-2026-48524 / GHSA-fhv5-28vv-h8m8

More information

Details

[!NOTE]
The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker's control. Impact is reduced auth availability until the next successful fetch, not complete denial of service.

Summary

PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests.

Additionally, fetch_data() finally block clears the JWKS cache on network error.

Root Cause

jwt/jwks_client.py:172-198 - get_signing_key(kid) calls get_signing_keys(refresh=True) for unknown kids, bypassing TTL cache with no cooldown.
jwt/jwks_client.py:120-122 - finally block writes None to cache on error, clearing valid data.

Impact

• DoS against JWKS endpoint (unlimited requests per invalid token)
• DoS against application (network I/O latency)
• Cascading failure (rate limiting clears cache, breaking legitimate auth)

Suggested Fix

1. Add refresh cooldown (refuse refresh more than once per TTL period)
2. Move cache write from finally to else block

Affected Versions

All versions with PyJWKClient (2.4.0 through 2.12.1)

Severity

• CVSS Score: 3.7 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8
• https://nvd.nist.gov/vuln/detail/CVE-2026-48524
• https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2026-177.yaml
• https://github.com/advisories/GHSA-fhv5-28vv-h8m8

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

jpadilla/pyjwt (pyjwt)

v2.13.0

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.