CVE-2024-28122

Name of the Vulnerable Software and Affected Versions jwx versions prior to 1.2.29 jwx versions prior to 2.0.21

Description This issue allows an attacker with a trusted public key to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the recipient, it results in significant memory allocation and processing time during decompression. The attacker needs to obtain a valid public key to compress the payload, which must be valid so that the recipient can use it to successfully decompress the payload. The attacker then crafts a message with a high compression ratio, such as a payload with a very high frequency of repeating patterns that can decompress to a much larger size. If the payload is large enough, the recipient who is decompressing the data will have to allocate a large amount of memory, which can lead to a denial of service.

Recommendations For versions prior to 1.2.29, update to version 1.2.29 or later. For versions prior to 2.0.21, update to version 2.0.21 or later. As a temporary workaround, consider limiting the maximum size of the decompressed data when decrypting JWE messages to prevent excessive memory allocation.