jose4j Denial-of-Service Vulnerability via Malicious JWE Token Compression

Vulnerability

A denial-of-service vulnerability has been identified in jose4j versions prior to 0.9.5. The issue arises when an attacker crafts a JSON Web Encryption (JWE) token with a very high compression ratio. When the server processes this token, it leads to excessive memory usage and prolonged processing times during decompression, causing a denial-of-service condition.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing significant memory consumption and increased processing times on the server.

Added: Dec 17, 2025, 4:20 PM

Updated: Dec 17, 2025, 7:40 PM

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

2.5

exploitability

4.7

remediation

0.0

relevance

1.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

2.5

exploitability

4.7

remediation

0.0

relevance

1.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

jose4j Denial-of-Service Vulnerability via Malicious JWE Token Compression

Vulnerability

Impact

Affected Products

jose4j

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating