Duplicate Advisory: python-jose denial of service via compressed JWE content

GHSA-h4pw-wxh7-4vjj · CVE-2024-29370 · PYSEC-2025-185

Published Dec 17, 2025 · Modified Jun 10, 2026

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-cjwg-qfpm-7377. This link is maintained to preserve external references.

Original Description

In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-29370
WEB https://github.com/mpdavis/python-jose/issues/344
WEB https://github.com/mpdavis/python-jose/commit/483529ee93a3ab510ab579d4d4cc644dba926ade
WEB https://github.com/mpdavis/python-jose/releases/tag/3.4.0
WEB https://github.com/pypa/advisory-database/tree/main/vulns/python-jose/PYSEC-2025-185.yaml

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes