PyPi: Python-Jose

CVE-2024-33664

Safety vulnerability ID: 70716

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Apr 26, 2024 Updated at Sep 08, 2024

Scan your Python projects for vulnerabilities →

Advisory

Affected versions of Python-jose allow attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319.

Affected package

python-jose

Latest version: 3.3.0

JOSE implementation in Python

Affected versions

Fixed versions

Vulnerability changelog

python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319. See CVE-2024-33664.

MISC:https://github.com/mpdavis/python-jose/issues/344: https://github.com/mpdavis/python-jose/issues/344
MISC:https://github.com/mpdavis/python-jose/pull/345: https://github.com/mpdavis/python-jose/pull/345

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application