GHSA-h4pw-wxh7-4vjj
Denial-of-Service (DoS) vulnerability in python-jose (PyPI)

Denial-of-Service (DoS) No known exploit

What is GHSA-h4pw-wxh7-4vjj About?

This vulnerability in python-jose allows for a Denial-of-Service condition through a crafted JSON Web Encryption (JWE) token. Attackers can create tokens with exceptionally high compression ratios, leading to significant memory and processing time during decompression. Exploitation involves delivering a malicious JWE token to a system processing it.

Affected Software

python-jose <3.4.0

Technical Details

The vulnerability exists in the jwe.decrypt function of python-jose 3.3.0. A malicious actor can craft a JSON Web Encryption (JWE) token that utilizes an extremely high compression ratio. When this token is processed by a server attempting to decrypt it, the decompression operation demands an inordinate amount of memory allocation and CPU cycles. This resource exhaustion leads to a Denial-of-Service condition, making the server unresponsive or causing it to crash.

What is the Impact of GHSA-h4pw-wxh7-4vjj?

Successful exploitation may allow attackers to disrupt service availability, causing the application to become unresponsive or crash.

What is the Exploitability of GHSA-h4pw-wxh7-4vjj?

Exploitation of this vulnerability is of moderate complexity, requiring knowledge of JWE token structures and the ability to craft tokens with high compression. No specific authentication or privilege escalation is inherently required to deliver the malicious token, but the attacker must be able to submit JWE tokens to the target application. This is typically a remote attack vector. The primary condition is that the target application processes JWE tokens and uses a vulnerable version of the library. Risk factors increasing likelihood include publicly exposed endpoints that accept and decrypt JWE tokens from untrusted sources.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for GHSA-h4pw-wxh7-4vjj?

Available Upgrade Options

  • python-jose
    • <3.4.0 → Upgrade to 3.4.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to GHSA-h4pw-wxh7-4vjj?

Similar Vulnerabilities: CVE-2024-29371 , CVE-2023-39327 , CVE-2023-39325 , CVE-2022-38706 , CVE-2022-23588

All Rights reserved 2025
Privacy Policy