python-jose is vulnerable to Denial of Service (DoS). The vulnerability is due to missing token size limits during the decoding process of a JSON Web Encryption (JWE) token. An attacker can submit a token with a high compression ratio, depleting system resources which can result in Denial of Service. This vulnerability is known as a “JWT bomb”, similar to a “zip bomb”.
CPE | Name | Operator | Version |
---|---|---|---|
python-jose | le | 3.3.0 | |
python-jose | le | 3.3.0 |