Resource exhaustion via oversized JSON Web Signature (JWS) payloads
Summary
joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.max_payload_length, which can lead to resource exhaustion. The normal JWS compact and flattened JSON paths reject payloads above the configured payload-size limit with ExceededSizeError. The RFC7797 unencoded payload paths do not make the same check. A valid b64=false compact or flattened JSON JWS can therefore deserialize successfully with a payload larger than JWSRegistry.max_payload_length. Applications that accept lower-trust JWS values and rely on joserfc to reject oversized token content during verification have a moderate availability risk. This issue has been fixed in version 1.6.7. A flaw was found in joserfc, a Python library for JSON Object Signing and Encryption (JOSE). This vulnerability allows a remote attacker to cause resource exhaustion, leading to a Denial of Service (DoS), by sending oversized JSON Web Signature (JWS) payloads. The library fails to apply size limits, specifically JWSRegistry.max_payload_length, when processing RFC7797 b64=false JWS payloads. Red Hat severity: Moderate — CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Weakness: CWE-770. Fixed by RHSA-2026:25039 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
- jaeger-main-2.19.0-1.hum1
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
- jaeger-main-2.19.0-1.hum1
- RHSA-2026:25039
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- The risk can be mitigated by rejecting oversized serialized JWS inputs before they reach joserfc and enforcing strict request/body size limits at the application or reverse-proxy layer.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.