CVE-2025-65015

Name of the Vulnerable Software and Affected Versions joserfc versions 1.3.3 through 1.3.4 joserfc versions 1.4.0 through 1.4.1

Description The joserfc library has an issue where excessively large JWT (JSON Web Token) payloads can be logged, potentially leading to resource exhaustion. Specifically, the ExceededSizeError exception messages embed the full, potentially forged JWT payload, which can be very large if a misconfigured or absent web server allows oversized requests. This can impact disk, memory, and CPU usage on the application host, as well as external logging and alerting services. The issue occurs during JWT decoding (joserfc.jwt.decode()) and claim/signature validation, where the library raises joserfc.errors.ExceededSizeError() with the full payload included in the exception message. The library cannot prevent the loading of the large payload into memory once it has been received. The issue is present in the joserfc/ rfc7515/registry.py and joserfc/ rfc7516/registry.py files.

Recommendations For versions 1.3.3 through 1.3.4, update to version 1.3.5 or later. For versions 1.4.0 through 1.4.1, update to version 1.4.2 or later.