CVE-2024-29370 — Improper Handling of Highly Compressed Data (Data Amplification) in Project Python-jose

CWE-409 — Improper Handling of Highly Compressed Data (Data Amplification)6 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 57.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python-jose Project Python-jose Debian Python-jose

Timeline

PublishedDec 17

Description

In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶PyPIpython-jose_project/python-jose< 3.4.0

▶debiandebian/python-jose

▶NVDpython-jose_project/python-jose3.3.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

Duplicate Advisory: python-jose denial of service via compressed JWE content↗2025-12-17

▶

OSV

CVE-2024-29370: In python-jose 3↗2025-12-17

▶

📋Vendor Advisories

Red Hat

python-jose: python-jose: Denial-of-Service via malicious JSON Web Encryption (JWE) token decompression↗2025-12-17

▶

Debian

CVE-2024-29370: python-jose - In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attac...↗2024

▶

🕵️Threat Intelligence

Wiz

CVE-2024-29370 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶