UBUNTU-CVE-2025-62706

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable...

CVE-2025-62706

Authlib’s CVE-2025-62706 affects the JWE zip=DEF decompression path in prior releases. A small ciphertext could inflate to tens/hundreds of MB during decrypt, enabling DoS via memory and CPU exhaustion. A fix exists in v1.6.5; mitigations include rejecting or stripping zip=DEF for inbound JWEs, a...

CVE-2025-62706 Authlib : JWE zip=DEF decompression bomb enables DoS

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable...

GHSA-G7F3-828F-7H7M Authlib : JWE zip=DEF decompression bomb enables DoS

Summary Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable tokens to exhaust memory and CPU and cause denial of service. Details - Affected component...

EUVD-2022-41076

Malicious code in bioql PyPI...

EUVD-2024-0939

Malicious code in bioql PyPI...

EUVD-2024-0938

Malicious code in bioql PyPI...

EUVD-2025-23966

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2022-32096

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Rhonabwy before v1.1.5 was discovered to contain a buffer overflow via the component rjweaesgcmkeyunwrap. This vulnerability allows attackers to cause a Denial ...

Linux Distros Unpatched Vulnerability : CVE-2024-28102

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by...

CVE-2025-54887

jwe is a Ruby implementation of the RFC 7516 JSON Web Encryption JWE standard. In versions 1.1.0 and below, authentication tags of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide ways to craft arbitrary JWEs. This puts users at risk becau...

Linux Distros Unpatched Vulnerability : CVE-2024-28176

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens JWT, JSON Web Signature JWS, JSON Web Encryption JWE, JS...

SUSE CVE-2025-54887

jwe is a Ruby implementation of the RFC 7516 JSON Web Encryption JWE standard. In versions 1.1.0 and below, authentication tags of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide ways to craft arbitrary JWEs. This puts users at risk becau...

CVE-2025-54887

jwe is a Ruby implementation of the RFC 7516 JSON Web Encryption JWE standard. In versions 1.1.0 and below, authentication tags of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide ways to craft arbitrary JWEs. This puts users at risk becau...

CVE-2025-54887 jwe: Missing AES-GCM authentication tag validation in encrypted JWEs

jwe is a Ruby implementation of the RFC 7516 JSON Web Encryption JWE standard. In versions 1.1.0 and below, authentication tags of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide ways to craft arbitrary JWEs. This puts users at risk becau...

CVE-2025-54887

CVE-2025-54887 affects the Ruby library jwe (Ruby implementation of RFC 7516) in versions 1.1.0 and earlier. The auth tag of encrypted JWEs can be brute-forced, enabling modification of JWEs to yield arbitrary plaintext and potentially revealing the GHASH key, which requires rotating keys after u...

CVE-2025-54887 jwe: Missing AES-GCM authentication tag validation in encrypted JWEs

jwe is a Ruby implementation of the RFC 7516 JSON Web Encryption JWE standard. In versions 1.1.0 and below, authentication tags of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide ways to craft arbitrary JWEs. This puts users at risk becau...

JWE 安全漏洞

JWE is a Ruby-based JSON Web encryption library from JSON Web Token open source. A security vulnerability exists in JWE 1.1.0 and earlier versions, which stems from the fact that the authentication tag that encrypts JWE can be brute-force broken, potentially resulting in a loss of confidentiality...

The vulnerability of the implementation of the JSON Web Encryption (JWE) standard RFC 7516 in the Ruby programming language allows a perpetrator to disclose and modify the protected information.

The vulnerability of the JSON Web Encryption JWE RFC 7516 standard implementation in the Ruby programming language is related to improper verification of data integrity. Exploiting this vulnerability could allow an attacker to disclose and modify the protected information...

Improper Validation of Integrity Check Value

Overview jwe is a Ruby implementation of the RFC 7516 JSON Web Encryption JWE standard. Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value due to missing authentication tag validation in the AES-GCM process. An attacker can gain access to confidential...