Miggo Logo
Miggo Vulnerability Database
CVE-2024-33664

CVE-2024-33664:
python-jose denial of service via compressed JWE content

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-33664
GHSA ID
GHSA-cjwg-qfpm-7377
EPSS Score
0.08269%
CWE
CWE-400
Published
4/26/2024
Updated
2/18/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
python-josepip< 3.4.03.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a denial of service caused by processing a JWE token with a high compression ratio. The provided pull request (https://github.com/mpdavis/python-jose/pull/345) and its associated commit (483529ee93a3ab510ab579d4d4cc644dba926ade) show a modification to the jose.jwe.decrypt function. Specifically, a size check was added at the beginning of this function to limit the size of the input JWE string (jwe_str). This directly indicates that the decrypt function was the entry point for the vulnerability, as it was responsible for handling the input that could lead to excessive resource consumption. The lack of this size check prior to the patch is what made the function vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

pyt*on-jos* t*rou** *.*.* *llows *tt**k*rs to **us* * **ni*l o* s*rvi** (r*sour** *onsumption) *urin* * ***o** vi* * *r**t** JSON W** *n*ryption (JW*) tok*n wit* * *i** *ompr*ssion r*tio, *k* * "JWT *om*." T*is is simil*r to *V*-****-*****.

Reasoning

T** vuln*r**ility is * **ni*l o* s*rvi** **us** *y pro**ssin* * JW* tok*n wit* * *i** *ompr*ssion r*tio. T** provi*** pull r*qu*st (*ttps://*it*u*.*om/mp**vis/pyt*on-jos*/pull/***) *n* its *sso*i*t** *ommit (****************************************)