Nixpkgs security tracker
Published
Permalink
CVE-2026-39373
5.3 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): NONE
- Availability impact (A): LOW
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse accepted
- @LeSuisse published on GitHub
JWCrypto: JWE ZIP decompression bomb
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate the decompressed output size. An unauthenticated attacker can cause memory exhaustion on memory-constrained systems. A token under the 250KB input limit can decompress to approximately 100MB. This vulnerability is fixed in 1.5.7.
References
-
https://github.com/latchset/jwcrypto/security/advisories/GHSA-fjrm-76x2-c4q4 x_refsource_CONFIRM
Affected products
jwcrypto
- ==< 1.5.7
Matching in nixpkgs
pkgs.python312Packages.jwcrypto
Implementation of JOSE Web standards
pkgs.python313Packages.jwcrypto
Implementation of JOSE Web standards
pkgs.python314Packages.jwcrypto
Implementation of JOSE Web standards