python-jose Denial-of-Service Vulnerability via Malicious JWE Tokens

A denial-of-service vulnerability has been identified in python-jose version 3.3.0, specifically within the JWE decryption function. The issue arises when an attacker crafts a JSON Web Encryption (JWE) token that exploits high compression ratios. Processing such a token leads to excessive memory usage and prolonged processing times, causing a denial-of-service condition on the server.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing significant memory consumption and increased processing times on the server during JWE token decompression.

Reproduction

The vulnerability can be reproduced by encrypting a large payload with the 'DEF' compression option using the JWE encryption methods. The encrypted token can then be decrypted, demonstrating the increased processing time compared to an uncompressed token of similar size.

Remediation

Users can upgrade to python-jose version 3.4.0 or later, where this vulnerability has been fixed. If an immediate upgrade is not possible, consider removing or monkey-patching the JWE compression support in the application.