Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4Blast Radius
ecosystem impact- 11 pypi packages depend on jwcrypto (8 direct, 3 indirect)
Ecosystem-wide dependent count for version 1.5.7.
DescriptionGitHub Advisory
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate the decompressed output size. An unauthenticated attacker can cause memory exhaustion on memory-constrained systems. A token under the 250KB input limit can decompress to approximately 100MB. This vulnerability is fixed in 1.5.7.
AnalysisAI
Memory exhaustion in JWCrypto before 1.5.7 allows unauthenticated remote attackers to cause denial of service on memory-constrained systems by sending crafted JWE tokens with ZIP compression that decompress to approximately 100MB despite remaining under the 250KB input size limit. The vulnerability exploits incomplete validation in the upstream CVE-2024-28102 patch, which restricted input token size but failed to enforce decompressed output limits.
Technical ContextAI
JWCrypto is a Python library implementing JSON Web Token (JWT), JSON Web Key (JWK), JSON Web Signature (JWS), and JSON Web Encryption (JWE) specifications using the python-cryptography backend. The vulnerability exists in JWE processing when ZIP (DEFLATE) compression is enabled. The root cause is CWE-409 (Improper Handling of Highly Compressed Data), where the library validates the compressed input token size (250KB limit from CVE-2024-28102 remediation) but does not enforce a maximum decompressed size. An attacker can craft a highly-compressible payload that remains under 250KB when compressed but expands to ~100MB when decompressed, exhausting memory when the library processes the token without bounds-checking the decompression output.
RemediationAI
Vendor-released patch: upgrade JWCrypto to version 1.5.7 or later, which implements proper decompression size validation to prevent memory exhaustion from compressed JWE tokens. Applications should ensure they are using the patched version and verify that JWE token processing includes strict decompression limits. Refer to the official advisory at https://github.com/latchset/jwcrypto/security/advisories/GHSA-fjrm-76x2-c4q4 for detailed remediation guidance. As a temporary workaround prior to patching, applications can disable ZIP compression in JWE processing if the use case permits, or implement external request size limits and resource monitoring to detect abnormal decompression behavior.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Package Hub 15 SP6 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19911
GHSA-fjrm-76x2-c4q4