{"id":"PYSEC-2024-233","details":"python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a \"JWT bomb.\" This is similar to CVE-2024-21319.","aliases":["CVE-2024-33664","GHSA-cjwg-qfpm-7377"],"modified":"2025-02-18T19:57:02.313397Z","published":"2024-04-26T00:15:09Z","references":[{"type":"REPORT","url":"https://github.com/mpdavis/python-jose/issues/344"},{"type":"WEB","url":"https://github.com/mpdavis/python-jose/pull/345"},{"type":"WEB","url":"https://www.vicarius.io/vsociety/posts/jwt-bomb-in-python-jose-cve-2024-33664"}],"affected":[{"package":{"name":"python-jose","ecosystem":"PyPI","purl":"pkg:pypi/python-jose"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.4.0"}]}],"versions":["0.1.0","0.1.1","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.1.8","0.2.0","0.3.0","0.4.0","0.5.0","0.5.1","0.5.2","0.5.3","0.5.4","0.5.5","0.5.6","0.6.1","0.6.2","0.7.0","1.0.0","1.1.0","1.2.0","1.3.0","1.3.1","1.3.2","1.4.0","2.0.0","2.0.1","2.0.2","3.0.0","3.0.1","3.1.0","3.2.0","3.3.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/python-jose/PYSEC-2024-233.yaml"}}],"schema_version":"1.7.3"}