PT-2026-53449 · Pypi · Joserfc
Published
2026-06-29
·
Updated
2026-06-29
CVSS v4.0
9.2
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H |
Summary
The
ExceededSizeError exception messages are embedded with non-decoded JWT token parts and may cause Python logging to record an arbitrarily large, forged JWT payload.Details
In situations where a misconfigured — or entirely absent — production-grade web server sits in front of a Python web application, an attacker may be able to send arbitrarily large bearer tokens in the HTTP request headers. When this occurs, Python logging or diagnostic tools (e.g., Sentry) may end up processing extremely large log messages containing the full JWT header during the
joserfc.jwt.decode() operation. The same behavior also appears when validating claims and signature payload sizes, as the library raises joserfc.errors.ExceededSizeError() with the full payload embedded in the exception message. Since the payload is already fully loaded into memory at this stage, the library cannot prevent or reject it per se.It is therefore the responsibility of the underlying web server (
uvicorn/h11, gunicorn, Starlette, Werkzeug, nginx...etc) to enforce limits on header sizes. For example, a FastAPI/Starlette application running without uvicorn and/or gunicorn cannot enforce header size limits on its own. With uvicorn/h11, the --h11-max-incomplete-event-size option can restrict the total size of the header plus body, but not the header alone. Similarly, vLLM serve —due to its reliance on uvicorn/h11 and the need for heavy data transfer in ML inference workloads, sets a default limit of 4 MB for header plus body and is frequently increased. In practice, a robust reverse proxy (such as nginx) is typically required because it can explicitly cap maximum header size. Unfortunately, many web applications do not run behind a proper reverse proxy.Given these constraints, the
joserfc library cannot safely log or embed payloads of arbitrary size. This issue is particularly subtle, as it occurs only when a maliciously crafted JWT finally reaches the Python application, a scenario that most developers will never encounter during routine development and testing.PoC
Environment
Ubuntu 24.04 LTS
Python 3.12
Tested on
joserfc version 1.4.1python
import logging
from datetime import UTC, datetime, timedelta
from joserfc import jwt
from joserfc.errors import ExceededSizeError, UnsupportedAlgorithmError
from joserfc.jwk import OctKey
logger = logging.getLogger( name )
SECRET KEY = "8c13bd66babc241b29f8553429bdab7deb6f5b74ddfda7765471e57ecd55641e"
LONG JWT TOKEN = (
"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGQifQ"
"."
"eyJpc3MiOiJhdXRoX3NlcnZlciIsImlhdCI6MTc2MzI0OTEwMSwiZXhwIjoxNzY5MjQ5MTAxfQ"
"."
"6-k2jmkGXD6wXOgYgjPS8E5lS GjWpgIuY54gokjAn8"
)
HEADER = {
"alg": (
"RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
"RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
"RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
"RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
"RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
"RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
),
}
CLAIMS = {
"iss": "auth server",
"iat": datetime.now(UTC),
"exp": datetime.now(UTC) + timedelta(minutes=15),
}
def main():
# Create OctKey from SECRET KEY
key = OctKey.import key(SECRET KEY)
# Simulate creating a very large JWT
# (this will fail with joserfc.errors.UnsupportedAlgorithmError
# due to an invalid 'alg' header content
try:
token = jwt.encode(HEADER, CLAIMS, key)
except UnsupportedAlgorithmError:
# Use a forged token that has the same header and claims instead
# but an invalid signature
token = LONG JWT TOKEN
logger.warning(f"Created JWT: {token}")
# Now try to decode the large JWT
try:
decoded token = jwt.decode(token, key)
logger.warning("This line will never be reached.")
logger.warning(decoded token.claims)
except ExceededSizeError:
logger.exception(
"The JWT size is too large and may be a security attack attempt."
)
# this is logging the whole header content in the exception message!
Created JWT: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGQifQ.eyJpc3MiOiJhdXRoX3NlcnZlciIsImlhdCI6MTc2MzI0OTEwMSwiZXhwIjoxNzY5MjQ5MTAxfQ.6-k2jmkGXD6wXOgYgjPS8E5lS GjWpgIuY54gokjAn8
The JWT size is too large and may be a security attack attempt.
Traceback (most recent call last):
File "security issue.py", line 55, in main
claims = jwt.decode(token, key)
^^^^^^^^^^^^^^^^^^^^^^
File ".venv/lib/python3.12/site-packages/joserfc/jwt.py", line 106, in decode
header, payload = decode jws( value, key, algorithms, registry)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File ".venv/lib/python3.12/site-packages/joserfc/jwt.py", line 127, in decode jws
jws obj = deserialize compact(value, key, algorithms, registry)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File ".venv/lib/python3.12/site-packages/joserfc/jws.py", line 183, in deserialize compact
obj = extract compact(to bytes(value), payload, registry)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File ".venv/lib/python3.12/site-packages/joserfc/ rfc7797/compact.py", line 50, in extract rfc7515 compact
registry.validate header size(header segment)
File ".venv/lib/python3.12/site-packages/joserfc/ rfc7515/registry.py", line 104, in validate header size
raise ExceededSizeError(f"Header size of '{header!r}' exceeds {self.max header length} bytes.")
joserfc.errors.ExceededSizeError: exceeded size: Header size of 'b'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGQifQ'' exceeds 512 bytes.
Code location
This behavior occurs in:
joserfc/ rfc7515/registry.py
L102-112python
def validate header size(self, header: bytes) -> None:
if header and len(header) > self.max header length:
raise ExceededSizeError(f"Header size of '{header!r}' exceeds {self.max header length} bytes.")
def validate payload size(self, payload: bytes) -> None:
if payload and len(payload) > self.max payload length:
raise ExceededSizeError(f"Payload size of '{payload!r}' exceeds {self.max payload length} bytes.")
def validate signature size(self, signature: bytes) -> None:
if len(signature) > self.max signature length:
raise ExceededSizeError(f"Signature of '{signature!r}' exceeds {self.max signature length} bytes.")joserfc/ rfc7516/registry.py
L103-123python
def validate protected header size(self, header: bytes) -> None:
if header and len(header) > self.max protected header length:
raise ExceededSizeError(f"Header size of '{header!r}' exceeds {self.max protected header length} bytes.")
def validate encrypted key size(self, ek: bytes) -> None:
if ek and len(ek) > self.max encrypted key length:
raise ExceededSizeError(f"Encrypted key size of '{ek!r}' exceeds {self.max encrypted key length} bytes.")
def validate initialization vector size(self, iv: bytes) -> None:
if iv and len(iv) > self.max initialization vector length:
raise ExceededSizeError(
f"Initialization vector size of '{iv!r}' exceeds {self.max initialization vector length} bytes."
)
def validate ciphertext size(self, ciphertext: bytes) -> None:
if ciphertext and len(ciphertext) > self.max ciphertext length:
raise ExceededSizeError(f"Ciphertext size of '{ciphertext!r}' exceeds {self.max ciphertext length} bytes.")
def validate auth tag size(self, tag: bytes) -> None:
if tag and len(tag) > self.max auth tag length:
raise ExceededSizeError(f"Auth tag size of '{tag!r}' exceeds {self.max auth tag length} bytes.")Another occurrence of
ExceededSizeError in joserfc/ rfc7518/jwe zips.py is not affected
by this issue as it does not include the payload content in the exception message.Impact
In scenarios where a web application does not reject excessively large HTTP header payloads, using
joserfc can expose the system to an Allocation of Resources Without Limits or Throttling (CWE-770), potentially impacting disk, memory, and CPU on the application host, as well as any external log storage, ingestion pipelines or alerting services. This risk can be mitigated by removing the JWT payload from the logged content in some joserfc.errors.ExceededSizeError() exception message occurrences. It would also be beneficial for the documentation to advise deploying the library behind a robust web server or reverse proxy that correctly enforces maximum request header sizes.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Joserfc