Headline
GHSA-h4pw-wxh7-4vjj: Duplicate Advisory: python-jose denial of service via compressed JWE content
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-cjwg-qfpm-7377. This link is maintained to preserve external references.
Original Description
In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-29370
Duplicate Advisory: python-jose denial of service via compressed JWE content
Moderate severity GitHub Reviewed Published Dec 17, 2025 to the GitHub Advisory Database • Updated Dec 18, 2025
Withdrawn This advisory was withdrawn on Dec 18, 2025
Package
pip python-jose (pip)
Affected versions
< 3.4.0
Description
Published to the GitHub Advisory Database
Dec 17, 2025
Last updated
Dec 18, 2025
EPSS score