JWT
JWT rules for Python
5
Security Rules
Run All JWT Rules
pathfinder scan --ruleset python/jwt --project .Rules
JWT Hardcoded Secret
HIGHFinds jwt.encode() calls where the signing secret is a hardcoded string instead of a runtime configuration value.
pythonjwtpyjwthardcoded-secretcredentialstoken-signingauthenticationCWE-798CWE-522OWASP-A02
CWE-798, CWE-522
Updated 2026-03-22
JWT None Algorithm
CRITICALDetects jwt.encode() calls using algorithm='none', which creates unsigned tokens that anyone can forge.
pythonjwtpyjwtnone-algorithmunsigned-tokentoken-forgerycryptographic-failureCWE-327CWE-345OWASP-A02
CWE-327, CWE-345
Updated 2026-03-22
Unverified JWT Decode
HIGHDetects jwt.decode() calls that may bypass signature verification, allowing tampered tokens to be accepted.
pythonjwtpyjwtunverified-decodesignature-bypassauthenticationtoken-verificationCWE-287CWE-345OWASP-A07
CWE-287, CWE-345
Updated 2026-03-22
JWT Exposed Credentials
MEDIUMDetects jwt.encode() calls where passwords or secrets may be included in the token payload, exposing them to anyone who reads the token.
pythonjwtpyjwtcredentialspassword-exposuredata-exposurecleartextauditCWE-522CWE-312OWASP-A02OWASP-A04
CWE-522, CWE-312
Updated 2026-03-22
JWT User Input in Payload
LOWTraces user-controlled input from Flask/Django request parameters into jwt.encode() payloads using taint analysis.
pythonjwtpyjwtdata-exposuretaint-analysisuser-inputflaskdjangorequest-dataCWE-522CWE-200OWASP-A02OWASP-A04
CWE-522, CWE-200
Updated 2026-03-22