MEDIUM 5.3

PYSEC-2025-185

Details

In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / python-jose

Introduced in: 0

No fixed version published yet for python-jose (pip). Pin to a known-safe version or switch to an alternative.

References

https://github.com/mpdavis/python-jose/issues/344 [FIX]
https://github.com/advisories/GHSA-h4pw-wxh7-4vjj [ADVISORY]