CVE-2020-10594: 
Python vulnerability analysis and mitigation

An issue was discovered in drf-jwt 1.15.x before 1.15.1 that allows attackers with access to a notionally invalidated token to obtain a new, working token via the refresh endpoint. This occurs because the blacklist protection mechanism is incompatible with the token-refresh feature. It's worth noting that drf-jwt is a fork of jpadilla/django-rest-framework-jwt, which is unmaintained (MITRE CVE).

The vulnerability exists in the token refresh mechanism of drf-jwt. When both token blacklisting and JWT_ALLOW_REFRESH features are enabled, the system fails to properly validate blacklisted tokens during the refresh process. This allows attackers to bypass the blacklist protection by using the refresh endpoint with an invalidated token (GitHub Issue).

The vulnerability allows attackers to circumvent token invalidation mechanisms. Even when a token is blacklisted (invalidated), an attacker can use it to obtain a new, valid token through the refresh endpoint, effectively bypassing security controls meant to revoke access (MITRE CVE).

The issue has been fixed in drf-jwt version 1.15.1. Users are strongly advised to upgrade to this version or later. For those unable to upgrade immediately, it's recommended to carefully consider the use of token blacklisting in combination with refresh tokens, as these features are incompatible in versions prior to 1.15.1 (MITRE CVE).

The vulnerability led to discussions about the maintenance status of JWT implementations in the Django ecosystem. The original django-rest-framework-jwt project was officially archived, with the maintainer recommending either the Styria-Digital fork (drf-jwt) or django-rest-framework-simplejwt as alternatives (GitHub Discussion).