GHSA-3677-xxcr-wjqv

Suggest an improvement
Source
https://github.com/advisories/GHSA-3677-xxcr-wjqv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-3677-xxcr-wjqv/GHSA-3677-xxcr-wjqv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3677-xxcr-wjqv
Aliases
Downstream
Related
Published
2025-12-17T18:31:33Z
Modified
2025-12-18T15:56:17.264397Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
jose4j is vulnerable to DoS via compressed JWE content
Details

In jose4j before 0.9.5, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.

Database specific 
{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-1259"
    ],
    "nvd_published_at": "2025-12-17T16:16:04Z",
    "severity": "HIGH",
    "github_reviewed_at": "2025-12-18T15:34:32Z"
}
References

Affected packages

Maven / org.bitbucket.b_c:jose4j

Package

Name
org.bitbucket.b_c:jose4j
View open source insights on deps.dev
Purl
pkg:maven/org.bitbucket.b_c/jose4j

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.9.5

Affected versions

0.*

0.3.6
0.3.7
0.3.8
0.3.9
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.5.8
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.7.8
0.7.9
0.7.10
0.7.11
0.7.12
0.8.0
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4