CVE-2024-29370

MEDIUM
Published Dec 17, 2025 Modified Jan 5, 2026 CWE-409

Description

In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.

CVSS v3.1 Score

5.3
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Weakness Type (CWE)

CWE-409 CWE-409

Affected Products

Vendor Product
python-jose_project python-jose

References

Frequently Asked Questions

What is CVE-2024-29370? +
In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. It has a CVSS v3.1 base score of 5.3 (MEDIUM).
How severe is CVE-2024-29370? +
CVE-2024-29370 has a CVSS v3.1 score of 5.3 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance.
What products are affected by CVE-2024-29370? +
CVE-2024-29370 affects products from python-jose_project, specifically: python-jose. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2024-29370? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-43970

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory …
CVE-2025-66019

pypdf is a free and open-source pure-python PDF library. Prior to version 6.4.0, an attacker who uses this vulnerability can …
CVE-2024-43499 7.5

.NET and Visual Studio Denial of Service Vulnerability
CVE-2025-62708 7.5

pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can …
CVE-2025-58057 7.5

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In …
CVE-2024-3572 7.5

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2024-29370 — free, no signup required.

Start Free Scan