CVE-2026-39373
Decompression Bomb Memory Exhaustion in JWCrypto JWE Tokens
Publication date: 2026-04-07
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| latchset | jwcrypto | to 1.5.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-409 | The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39373 is a vulnerability in the jwcrypto Python package (versions up to 1.5.6) related to how it handles compressed JSON Web Encryption (JWE) tokens. The package limits the size of the compressed input token to 250KB but does not check the size of the decompressed output. This means an attacker can send a compressed token under 250KB that decompresses to a very large size (around 100MB), causing the server to use excessive memory.
Because the decompressed size is not validated, an unauthenticated attacker can exploit this to exhaust server memory, potentially causing a denial of service (DoS) on memory-constrained systems.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can lead to a denial of service (DoS) condition by exhausting the memory of systems processing JWE tokens with ZIP compression. An attacker does not need to be authenticated or have any privileges to exploit this issue.
On memory-constrained or small devices, the decompression of a crafted token can consume large amounts of memory (e.g., decompressing a 132KB token to about 100MB), potentially causing the system to slow down, crash, or become unresponsive.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually large decompressed JWE tokens being processed by the jwcrypto library, especially those using ZIP compression. Since the vulnerability involves decompressing compressed tokens that are under 250KB but decompress to very large sizes (e.g., ~100MB), detection involves inspecting JWE tokens for suspicious compression ratios.
You can detect attempts to exploit this vulnerability by capturing network traffic and extracting JWE tokens, then checking their compressed size and estimating decompressed size. However, no specific commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the jwcrypto Python package to version 1.5.7 or later, where this vulnerability is fixed by properly validating the decompressed output size of JWE tokens.
Until the upgrade can be applied, consider implementing additional input validation or limiting the processing of compressed JWE tokens to prevent memory exhaustion, although no specific workaround commands are provided.