CVE-2025-65015
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-18

Last updated on: 2025-11-19

Assigner: GitHub, Inc.

Description
joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions from 1.3.3 to before 1.3.5 and from 1.4.0 to before 1.4.2, the ExceededSizeError exception messages are embedded with non-decoded JWT token parts and may cause Python logging to record an arbitrarily large, forged JWT payload. In situations where a misconfigured β€” or entirely absent β€” production-grade web server sits in front of a Python web application, an attacker may be able to send arbitrarily large bearer tokens in the HTTP request headers. When this occurs, Python logging or diagnostic tools (e.g., Sentry) may end up processing extremely large log messages containing the full JWT header during the joserfc.jwt.decode() operation. The same behavior also appears when validating claims and signature payload sizes, as the library raises joserfc.errors.ExceededSizeError() with the full payload embedded in the exception message. Since the payload is already fully loaded into memory at this stage, the library cannot prevent or reject it. This issue has been patched in versions 1.3.5 and 1.4.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-18
Last Modified
2025-11-19
Generated
2026-05-07
AI Q&A
2025-11-19
EPSS Evaluated
2026-05-05
NVD
CVE-2025-65015
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
joserfc joserfc 1.3.4
joserfc joserfc 1.3.3
joserfc joserfc 1.4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the joserfc Python library versions 1.3.3 to before 1.3.5 and 1.4.0 to before 1.4.2. When the library raises an ExceededSizeError due to large JWT token parts, the exception message includes the full, non-decoded JWT payload. If a misconfigured or absent production-grade web server allows an attacker to send very large bearer tokens in HTTP headers, Python logging or diagnostic tools may log these large payloads. This can lead to processing and storing arbitrarily large log messages containing the full JWT header, potentially causing resource exhaustion or other issues. The vulnerability is patched in versions 1.3.5 and 1.4.2.


How can this vulnerability impact me? :

An attacker can exploit this vulnerability by sending very large JWT bearer tokens to a vulnerable Python web application using joserfc. This can cause the application’s logging or diagnostic tools to process and store extremely large log messages, potentially leading to resource exhaustion, degraded performance, or denial of service. It may also expose sensitive JWT token data in logs if the tokens are forged or maliciously crafted.


What immediate steps should I take to mitigate this vulnerability?

Upgrade the joserfc Python library to version 1.3.5 or later, or 1.4.2 or later, as these versions contain patches that fix the vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart