VYPR

Jwcrypto

by Latchset

pypi: jwcrypto

Source repositories

CVEs (4)

  • CVE-2016-6298MedSep 1, 2016
    risk 0.28cvss 5.3epss 0.02

    The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in jwcrypto before 0.3.2 lacks the Random Filling protection mechanism, which makes it easier for remote attackers to obtain cleartext data via a Million Message Attack (MMA).

  • CVE-2026-39373MedApr 7, 2026
    risk 0.27cvss 5.3epss 0.00

    JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but…

  • CVE-2022-3102medSep 21, 2022
    risk 0.19cvss epss 0.00

    The JWT code can auto-detect the type of token being provided, and this can lead the application to incorrect conclusions about the trustworthiness of the token. Quoting the private disclosure we received : "Under certain circumstances, it is possible to substitute a [..] signed…

  • CVE-2024-28102Mar 6, 2024
    risk 0.00cvss epss 0.01

    JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot…