CVE-2026-39373— JWCrypto: JWE ZIP decompression bomb

JWCrypto: JWE ZIP decompression bomb

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate the decompressed output size. An unauthenticated attacker can cause memory exhaustion on memory-constrained systems. A token under the 250KB input limit can decompress to approximately 100MB. This vulnerability is fixed in 1.5.7.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

对高度压缩数据的处理不恰当(数据放大攻击)

JWCrypto 安全漏洞

JWCrypto是JWCrypto开源的一个 Javascript 对象签名和加密 (JOSE) Web 标准的实现。 JWCrypto 1.5.7之前版本存在安全漏洞，该漏洞源于对解压缩输出大小验证不足，可能导致未经身份验证的攻击者耗尽服务器内存。

N/A

N/A