VYPR
Moderate severityNVD Advisory· Published Mar 6, 2024· Updated Sep 9, 2024

JWCrypto vulnerable to JWT bomb Attack in `deserialize` function

CVE-2024-28102

Description

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
jwcryptoPyPI
< 1.5.61.5.6

Affected products

16

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.