joserfc ExceededSizeError Logging Vulnerability Leading to Uncontrolled Resource Consumption

A vulnerability exists in the joserfc library, which implements JSON Object Signing and Encryption (JOSE) standards. In versions 1.3.3 prior to 1.3.5 and 1.4.0 prior to 1.4.2, the ExceededSizeError exception messages include non-decoded parts of JWT tokens, potentially causing Python logging to record large, forged JWT payloads. This issue can be exploited when a misconfigured or absent production-grade web server allows the sending of large bearer tokens in HTTP request headers. The vulnerability leads to excessive resource consumption, as the full JWT header is processed and logged, including in diagnostic tools like Sentry. The problem arises because the payload is loaded into memory before the library can reject it, creating a risk of uncontrolled resource consumption.

Impact

Exploitation of this vulnerability can cause significant resource exhaustion, leading to high memory usage and potentially overwhelming logging systems or external log management services.

Reproduction

The vulnerability can be reproduced by sending a large JWT token in the Authorization header of an HTTP request to a Python web application using an affected version of the joserfc library. If the application is not behind a proper reverse proxy that limits header sizes, the large token will be processed by the joserfc library, triggering the ExceededSizeError exception. This exception will include the full, unencoded JWT header, which can create a large log entry.

Remediation

Users can update to joserfc versions 1.3.5 or 1.4.2, both of which address the vulnerability by removing the raw JWT payload from the ExceededSizeError exception messages. Additionally, it is recommended to configure the web server or reverse proxy to enforce strict limits on header sizes.