Executive Summary

This vulnerability in python-jose 3.3.0 occurs in the jwe.decrypt function when processing JSON Web Encryption (JWE) tokens. An attacker can craft a malicious JWE token with an extremely high compression ratio using the DEF compression algorithm. When the server decompresses this token, it consumes excessive memory and processing time, causing a Denial-of-Service (DoS) condition. [1]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can cause your server to experience a Denial-of-Service (DoS) condition by forcing it to allocate excessive memory and spend a long time decompressing a maliciously crafted JWE token. This can degrade service availability and potentially disrupt normal operations. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusually high processing times or memory usage during the decryption of JSON Web Encryption (JWE) tokens, especially those using the DEF (DEFLATE) compression algorithm. A practical approach is to create a test script that attempts to decrypt JWE tokens with high compression ratios and measure the time taken. For example, using python-jose 3.3.0, you can craft a large JSON payload with repeated characters, encrypt it with compression enabled (zip='DEF'), and measure the decryption time to observe the vulnerability. Specific commands would involve running such a test script in your environment to detect abnormal resource consumption during token processing. [1]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, it is recommended to impose a maximum token length limit of 250 KB before processing any JWE tokens. This prevents attackers from exploiting the decompression overhead by restricting the size of tokens accepted. This mitigation aligns with practices used in other JWT libraries and helps avoid excessive memory allocation and processing time during decompression. [1]

Useful 0 Not Useful 0