Security: python-jose has known CVEs — should be replaced with PyJWT or python-jwt

[patel-prithvi]

Security: python-jose dependency has known CVEs — replace with PyJWT

Summary

pyproject.toml lists python-jose[cryptography]>=3.3.0 as a dependency. The python-jose library has multiple known vulnerabilities including:

• CVE-2024-33663: Algorithm confusion attack allowing JWT signature bypass
• CVE-2024-33664: Unsafe handling of RSA keys
• The library is largely unmaintained (last release 2023, open issues unaddressed)

Evidence

# pyproject.toml line 17
"python-jose[cryptography]>=3.3.0",

Why This Is Risky for ExtensionShield

ExtensionShield uses JWTs for cloud authentication (when EXTSHIELD_MODE=cloud). An algorithm confusion vulnerability in the JWT library means an attacker could:

1. Forge a JWT token without knowing the signing secret
2. Impersonate any user, including admins
3. Bypass the cloud authentication entirely

Proposed Fix

Replace python-jose with PyJWT, the actively maintained alternative:

# pyproject.toml — replace:
# "python-jose[cryptography]>=3.3.0",
# with:
"PyJWT[crypto]>=2.8.0",

Update any imports in the codebase:

# Before
from jose import jwt, JWTError
# After  
import jwt
from jwt.exceptions import InvalidTokenError

References

• CVE-2024-33663
• PyJWT — actively maintained alternative

Impact

Critical — JWT forgery could allow complete authentication bypass in cloud mode.

[Stanzin7]

@patel-prithvi this is not being accepted as written. While python-jose had advisories affecting versions before 3.4.0, this repo’s lockfile already pins python-jose to 3.5.0, so the tracked environment is not on the vulnerable version. Also, the correct fix would be raising the minimum supported version, not replacing the library outright without evidence that our specific Supabase JWKS verification flow is affected. If needed, this can be reframed as a dependency-floor cleanup, not a critical auth-bypass bug.