CVE-2026-39373 JWCrypto: JWE ZIP decompression bomb

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate th...

Allocation of Resources Without Limits or Throttling

Overview authlib is a library in building OAuth and OpenID Connect servers. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the DeflateZipAlgorithm.decompress function. An attacker can exhaust memory and CPU resources by submitting...

EUVD-2025-33768

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes...

Denial Of Service (DoS)

python-jose is vulnerable to Denial of Service DoS. The vulnerability is due to missing token size limits during the decoding process of a JSON Web Encryption JWE token. An attacker can submit a token with a high compression ratio, depleting system resources which can result in Denial of Service...

PT-2024-2083

Name of the Vulnerable Software and Affected Versions jwcrypto versions prior to 1.5.6 Description The issue is related to an uncontrolled resource consumption in the jwcrypto library. An attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression...

UBUNTU-CVE-2023-25563

GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that implements NTLM authentication. Prior to version 1.2.0, multiple out-of-bounds reads when decoding NTLM fields can trigger a denial of service. A 32-bit integer overflow condition can lead to incorrect checks of consistency of length of...