VulnerableCode Package Details - pkg:pypi/python-jose@3.4.0

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-az98-gfrm-c3ev	python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319.	CVE-2024-33664 GHSA-cjwg-qfpm-7377 PYSEC-2024-233
VCID-vnjx-j746-z3fn	python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.	CVE-2024-33663 GHSA-6c5p-j8vq-pqhj PYSEC-2024-232
VCID-x2xb-crrp-hfaf	Duplicate Advisory: python-jose denial of service via compressed JWE content ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-cjwg-qfpm-7377. This link is maintained to preserve external references. ### Original Description In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.	CVE-2024-29370 GHSA-h4pw-wxh7-4vjj

Vulnerability

Summary

Aliases

VCID-az98-gfrm-c3ev

python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319.

CVE-2024-33664
GHSA-cjwg-qfpm-7377
PYSEC-2024-233

VCID-vnjx-j746-z3fn

python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.

CVE-2024-33663
GHSA-6c5p-j8vq-pqhj
PYSEC-2024-232

VCID-x2xb-crrp-hfaf

Duplicate Advisory: python-jose denial of service via compressed JWE content ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-cjwg-qfpm-7377. This link is maintained to preserve external references. ### Original Description In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.

CVE-2024-29370
GHSA-h4pw-wxh7-4vjj

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-17T00:03:26.130494+00:00	GitLab Importer	Fixing	VCID-x2xb-crrp-hfaf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/python-jose/CVE-2024-29370.yml	38.4.0
2026-04-12T01:26:29.261842+00:00	GitLab Importer	Fixing	VCID-x2xb-crrp-hfaf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/python-jose/CVE-2024-29370.yml	38.3.0
2026-04-03T01:35:09.383527+00:00	GitLab Importer	Fixing	VCID-x2xb-crrp-hfaf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/python-jose/CVE-2024-29370.yml	38.1.0
2026-04-01T16:07:23.535711+00:00	GHSA Importer	Fixing	VCID-x2xb-crrp-hfaf	https://github.com/advisories/GHSA-h4pw-wxh7-4vjj	38.0.0
2026-04-01T16:05:11.121008+00:00	GHSA Importer	Fixing	VCID-az98-gfrm-c3ev	https://github.com/advisories/GHSA-cjwg-qfpm-7377	38.0.0
2026-04-01T16:05:11.095238+00:00	GHSA Importer	Fixing	VCID-vnjx-j746-z3fn	https://github.com/advisories/GHSA-6c5p-j8vq-pqhj	38.0.0
2026-04-01T15:16:15.543594+00:00	PyPI Importer	Fixing	VCID-vnjx-j746-z3fn	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.0.0
2026-04-01T15:16:15.397936+00:00	PyPI Importer	Fixing	VCID-az98-gfrm-c3ev	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.0.0
2026-04-01T12:55:37.249470+00:00	GithubOSV Importer	Fixing	VCID-x2xb-crrp-hfaf	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-h4pw-wxh7-4vjj/GHSA-h4pw-wxh7-4vjj.json	38.0.0
2026-04-01T12:53:32.951808+00:00	GitLab Importer	Fixing	VCID-x2xb-crrp-hfaf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/python-jose/CVE-2024-29370.yml	38.0.0
2026-04-01T12:52:46.884655+00:00	GitLab Importer	Fixing	VCID-az98-gfrm-c3ev	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/python-jose/CVE-2024-33664.yml	38.0.0
2026-04-01T12:52:46.855430+00:00	GitLab Importer	Fixing	VCID-vnjx-j746-z3fn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/python-jose/CVE-2024-33663.yml	38.0.0
2026-04-01T12:49:41.291787+00:00	GithubOSV Importer	Fixing	VCID-vnjx-j746-z3fn	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-6c5p-j8vq-pqhj/GHSA-6c5p-j8vq-pqhj.json	38.0.0
2026-04-01T12:49:36.416978+00:00	GithubOSV Importer	Fixing	VCID-az98-gfrm-c3ev	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-cjwg-qfpm-7377/GHSA-cjwg-qfpm-7377.json	38.0.0
2026-04-01T12:49:30.246180+00:00	Pypa Importer	Fixing	VCID-vnjx-j746-z3fn	https://github.com/pypa/advisory-database/blob/main/vulns/python-jose/PYSEC-2024-232.yaml	38.0.0
2026-04-01T12:49:30.159143+00:00	Pypa Importer	Fixing	VCID-az98-gfrm-c3ev	https://github.com/pypa/advisory-database/blob/main/vulns/python-jose/PYSEC-2024-233.yaml	38.0.0