We use cookies to improve your experience on our site.
AVID-2026-R1477
Description
Vulnerability CVE-2024-33664
Details
python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a “JWT bomb.” This is similar to CVE-2024-21319.
Reason for inclusion in AVID: CVE-2024-33664 describes a denial-of-service vulnerability in python-jose via crafted JWE tokens with high compression; this is a software vulnerability in a library that is commonly used in AI software stacks (authentication/serving pipelines, dependencies). It is a vulnerability in a component that could be part of the supply chain of general-purpose AI systems (deploy/run/serve) and is clearly security-related, with CVE and references, so it should be kept for AVID curation.
References
- NVD entry
- https://github.com/mpdavis/python-jose/issues/344
- https://github.com/mpdavis/python-jose/pull/345
- https://www.vicarius.io/vsociety/posts/jwt-bomb-in-python-jose-cve-2024-33664
Affected or Relevant Artifacts
- Developer: n/a
- Deployer: n/a
- Artifact Details:
| Type | Name |
|---|---|
| System | n/a |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-04-25
- Version: 0.3.3
- AVID Entry