CVE-2025-61152

[cmatos689]

Hello python-jose team.

I open this issue as a way to try to confirm if CVE-2025-61152 has been officially recognized by you as a vulnerability affecting the python-jose code. The main reason behing my question is because the PoC seems to actually use an option that would cause the issue to arise in the first place (options={"verify_signature": False}), as identified in https://bugzilla.suse.com/show_bug.cgi?id=1251866#c5.

Thanks in advance for any information you are able to provide!

[javiermorales36]

My apologies regarding CVE-2025-61152. Upon further review, I confirmed the issue only occurs when explicitly disabling signature verification, which is expected behavior rather than a library vulnerability.

Sorry for the false alarm.

[cmatos689]

Thank you for the information!

[noren95]

Hi @javiermorales36
Should it be redacted from MITRE (cve.org) soon? Do you confirm this is a False Positive report?

[javiermorales36]

Hello, it has been reported as a false positive. As soon as they tell me, I will put it.