{"id":"CVE-2026-48990","summary":"joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization","details":"joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.max_payload_length, which can lead to resource exhaustion. The normal JWS compact and flattened JSON paths reject payloads above the configured payload-size limit with ExceededSizeError. The RFC7797 unencoded payload paths do not make the same check. A valid b64=false compact or flattened JSON JWS can therefore deserialize successfully with a payload larger than JWSRegistry.max_payload_length. Applications that accept lower-trust JWS values and rely on joserfc to reject oversized token content during verification have a moderate availability risk. This issue has been fixed in version 1.6.7.","aliases":["GHSA-wphv-vfrh-23q5"],"modified":"2026-07-11T03:55:15.357028108Z","published":"2026-06-17T21:08:10.534Z","related":["CGA-g99c-9v78-pxx3","openSUSE-SU-2026:11067-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48990.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-400","CWE-770"]},"references":[{"type":"WEB","url":"https://github.com/authlib/joserfc/releases/tag/1.6.7"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48990.json"},{"type":"ADVISORY","url":"https://github.com/authlib/joserfc/security/advisories/GHSA-wphv-vfrh-23q5"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48990"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/authlib/joserfc","events":[{"introduced":"6b6642b7e0f13cb6d8dc4541c1d68ff8523ccf27"},{"fixed":"41c015117d0e9bd27b04f882fcc58656a01fbfeb"},{"fixed":"1e5b94da589c695f54abd9f1a0ad822dcffe0305"}],"database_specific":{"source":["DESCRIPTION","REFERENCES"],"extracted_events":[{"introduced":"1.3.4"},{"fixed":"1.6.5"}]}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-48990.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}