CVE-2024-29370
Denial-of-Service in python-jose jwe.decrypt via Malicious JWE Token
Publication date: 2025-12-17
Last updated on: 2025-12-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mpdavis | python-jose | 3.3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-409 | The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in python-jose 3.3.0 occurs in the jwe.decrypt function when processing JSON Web Encryption (JWE) tokens. An attacker can craft a malicious JWE token with an extremely high compression ratio using the DEF compression algorithm. When the server decompresses this token, it consumes excessive memory and processing time, causing a Denial-of-Service (DoS) condition. [1]
How can this vulnerability impact me? :
The vulnerability can cause your server to experience a Denial-of-Service (DoS) condition by forcing it to allocate excessive memory and spend a long time decompressing a maliciously crafted JWE token. This can degrade service availability and potentially disrupt normal operations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually high processing times or memory usage during the decryption of JSON Web Encryption (JWE) tokens, especially those using the DEF (DEFLATE) compression algorithm. A practical approach is to create a test script that attempts to decrypt JWE tokens with high compression ratios and measure the time taken. For example, using python-jose 3.3.0, you can craft a large JSON payload with repeated characters, encrypt it with compression enabled (zip='DEF'), and measure the decryption time to observe the vulnerability. Specific commands would involve running such a test script in your environment to detect abnormal resource consumption during token processing. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, it is recommended to impose a maximum token length limit of 250 KB before processing any JWE tokens. This prevents attackers from exploiting the decompression overhead by restricting the size of tokens accepted. This mitigation aligns with practices used in other JWT libraries and helps avoid excessive memory allocation and processing time during decompression. [1]