CVE-2024-29370: Duplicate Advisory: python-jose denial of service via compressed JWE content

December 17, 2025 (updated December 18, 2025)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-cjwg-qfpm-7377. This link is maintained to preserve external references.

Original Description

In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.

References

github.com/advisories/GHSA-h4pw-wxh7-4vjj
github.com/mpdavis/python-jose/commit/483529ee93a3ab510ab579d4d4cc644dba926ade
github.com/mpdavis/python-jose/issues/344
github.com/mpdavis/python-jose/releases/tag/3.4.0
nvd.nist.gov/vuln/detail/CVE-2024-29370

Code Behaviors & Features

Detect and mitigate CVE-2024-29370 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →