GHSA-c4cm-r9fh-jgj9: 
Python vulnerability analysis and mitigation

A low severity privilege escalation vulnerability was identified in commonground-api-common's JWT authentication middleware (GHSA-c4cm-r9fh-jgj9). The vulnerability affects multiple packages including commonground-api-common (<=1.12.1), vng-api-common (<=2.0.5), and vng-api-common-utrecht (<=1.3.2). The issue was discovered and disclosed on February 9, 2024, involving a non-exploitable weakness in how client-supplied JWTs are verified (GitHub Advisory).

The vulnerability stems from how JWT verification is implemented in the vng-api-common.middleware.AuthMiddleware. The middleware uses PyJWT to verify JWT tokens and specifies 'HS256' as a string instead of using a list of acceptable algorithms ['HS256']. PyJWT's implementation doesn't check the argument type and uses the 'in' operator for algorithm verification, which means any substring of 'HS256' could potentially pass the check. However, this weakness is currently not exploitable as PyJWT's supported algorithm set doesn't include any such substrings (GitHub Commit).

The impact of this vulnerability is considered negligible and entirely theoretical. While it represents a privilege escalation vulnerability, it cannot be exploited in practice due to PyJWT's explicit allow-list of known algorithms. If it were exploitable, it could potentially allow attackers to tamper with client JWTs, leading to privilege escalation and enabling impersonation of any client without leaving traces of the real user (GitHub Advisory).

The issue will be fixed in version 1.12.2 of commonground-api-common. While no immediate workarounds are needed, users should exercise caution when updating PyJWT and verify that their PyJWT implementation doesn't include algorithms with names '', 'HS25', 'HS2', 'HS', 'H', or ensure these algorithms are acceptable for their use case (GitHub Advisory).