2 matches found
PYSEC-2026-70
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate th...
GHSA-HHHV-Q57G-882Q jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext
A vulnerability has been identified in the JSON Web Encryption JWE decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a resul...