VDB
DEBIAN-CVE-2026-39373
DEBIAN-CVE-2026-39373
PUBLISHED
CVSS 5.300000190734863 MEDIUM
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate the decompressed output size. An unauthenticated attacker can cause memory exhaustion on memory-constrained systems. A token under the 250KB input limit can decompress to approximately 100MB. This vulnerability is fixed in 1.5.7.
Risk Scores
CVSS v3.1
5.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | python-jwcrypto | 1.5.6-1, 0, 1.5.6-1 |
| Debian:12 | python-jwcrypto | 0, 1.1.0-1, 1.1.0-1+deb12u1 |
| Debian:11 | python-jwcrypto | 1.5.4-1, 1.5.6-1, 0.8.0-1 |
| Debian:13 | python-jwcrypto | 0, 1.5.6-1, 0 |
Timeline
- Apr 7, 2026 CVE Published
- Apr 28, 2026 CVE Updated