mpdavis/python-jose

mpdavis/python-jose

Releases30

Frequency4 months 5 days

Last Release about 1 year ago

Stars1.75K

A JOSE implementation in Python

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2024-29370 ↗	Dec 17, 2025Wednesday, 17 December 2025, 16:16	5.3 MEDIUM	—
In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.
CVE-2024-33663 ↗	Apr 26, 2024Friday, 26 April 2024, 00:15	6.5 MEDIUM	—
python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.
CVE-2024-33664 ↗	Apr 26, 2024Friday, 26 April 2024, 00:15	5.3 MEDIUM	—
python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319.
CVE-2016-7036 ↗	Jan 23, 2017Monday, 23 January 2017, 21:59	—	7.5 HIGH
python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a constant time comparison for HMAC keys.