CVE-2024-29370

unknown

Published 2025-12-17 · Modified 2026-05-21

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v2

—

VIR risk

—

Description

In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2024-29370

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2024-29370.html

OS impact

OS	Version	Status	Fixed in
sles		affected
debian	bookworm	affected

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	python-jose	`<=3.3.0`

References

Verify integrity in audit chain (admin only). AS-IS.