Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-39373

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-07 Apr, 2026 | 19:35
Updated At-07 Apr, 2026 | 20:22
Rejected At-
Credits

JWCrypto: JWE ZIP decompression bomb

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate the decompressed output size. An unauthenticated attacker can cause memory exhaustion on memory-constrained systems. A token under the 250KB input limit can decompress to approximately 100MB. This vulnerability is fixed in 1.5.7.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:07 Apr, 2026 | 19:35
Updated At:07 Apr, 2026 | 20:22
Rejected At:
â–¼CVE Numbering Authority (CNA)
JWCrypto: JWE ZIP decompression bomb

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate the decompressed output size. An unauthenticated attacker can cause memory exhaustion on memory-constrained systems. A token under the 250KB input limit can decompress to approximately 100MB. This vulnerability is fixed in 1.5.7.

Affected Products
Vendor
latchset
Product
jwcrypto
Versions
Affected
  • < 1.5.7
Problem Types
TypeCWE IDDescription
CWECWE-409CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)
Type: CWE
CWE ID: CWE-409
Description: CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/latchset/jwcrypto/security/advisories/GHSA-fjrm-76x2-c4q4
x_refsource_CONFIRM
Hyperlink: https://github.com/latchset/jwcrypto/security/advisories/GHSA-fjrm-76x2-c4q4
Resource:
x_refsource_CONFIRM
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:07 Apr, 2026 | 20:16
Updated At:15 Apr, 2026 | 17:17

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate the decompressed output size. An unauthenticated attacker can cause memory exhaustion on memory-constrained systems. A token under the 250KB input limit can decompress to approximately 100MB. This vulnerability is fixed in 1.5.7.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Type: Secondary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CPE Matches
latchset
latchset
>>jwcrypto>>Versions before 1.5.7(exclusive)
cpe:2.3:a:latchset:jwcrypto:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-409Primarysecurity-advisories@github.com
CWE ID: CWE-409
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/latchset/jwcrypto/security/advisories/GHSA-fjrm-76x2-c4q4security-advisories@github.com
Exploit
Vendor Advisory
Hyperlink: https://github.com/latchset/jwcrypto/security/advisories/GHSA-fjrm-76x2-c4q4
Source: security-advisories@github.com
Resource:
Exploit
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

6Records found
CVE-2023-6681
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 8.46%
||
7 Day CHG~0.00%
Published-12 Feb, 2024 | 14:04
Updated-26 Feb, 2026 | 20:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jwcrypto: denail of service via specifically crafted jwe

A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service (DoS) attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can result in a large amount of computational consumption, causing a denial of service attack.

Action-Not Available
Vendor-latchsetRed Hat, Inc.Fedora Project
Product-fedoraenterprise_linuxenterprise_linux_for_ibm_z_systemsjwcryptoenterprise_linux_for_power_little_endianenterprise_linux_for_arm_64Red Hat Ansible Automation Platform 2Red Hat Enterprise Linux 8Red Hat Enterprise Linux 7Red Hat Enterprise Linux 9
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-32630
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.07% / 22.51%
||
7 Day CHG~0.00%
Published-13 Mar, 2026 | 20:54
Updated-17 Mar, 2026 | 19:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
file-type affected by ZIP Decompression Bomb DoS via [Content_Types].xml entry

file-type detects the file type of a file, stream, or data. From 20.0.0 to 21.3.1, a crafted ZIP file can trigger excessive memory growth during type detection in file-type when using fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(). The ZIP inflate output limit is enforced for stream-based detection, but not for known-size inputs. As a result, a small compressed ZIP can cause file-type to inflate and process a much larger payload while probing ZIP-based formats such as OOXML. This vulnerability is fixed in 21.3.2.

Action-Not Available
Vendor-sindresorhussindresorhus
Product-file-typefile-type
CWE ID-CWE-409
Improper Handling of Highly Compressed Data (Data Amplification)
CVE-2026-8814
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-6.9||MEDIUM
EPSS-Not Assigned
Published-19 May, 2026 | 05:00
Updated-19 May, 2026 | 07:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Versions of the package exifreader before 4.39.0 are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) due to decompressing PNG zTXt metadata without enforcing a built-in maximum decompressed output size. When asynchronous parsing is enabled, a crafted PNG file containing a highly compressed zTXt chunk can cause ExifReader to materialize a disproportionately large Comment value in memory.

Action-Not Available
Vendor-n/a
Product-exifreader
CWE ID-CWE-409
Improper Handling of Highly Compressed Data (Data Amplification)
CVE-2026-2575
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 13.20%
||
7 Day CHG~0.00%
Published-18 Mar, 2026 | 03:19
Updated-18 Mar, 2026 | 14:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak: keycloak: denial of service due to excessive samlrequest decompression

A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat build of Keycloak 26.4Red Hat build of Keycloak 26.4.10
CWE ID-CWE-409
Improper Handling of Highly Compressed Data (Data Amplification)
CVE-2024-29370
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.16% / 36.22%
||
7 Day CHG-0.04%
Published-17 Dec, 2025 | 00:00
Updated-05 Jan, 2026 | 15:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.

Action-Not Available
Vendor-python-jose_projectn/a
Product-python-josen/a
CWE ID-CWE-409
Improper Handling of Highly Compressed Data (Data Amplification)
CVE-2023-26483
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.59% / 69.44%
||
7 Day CHG~0.00%
Published-03 Mar, 2023 | 22:02
Updated-25 Feb, 2025 | 15:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
gosaml2 vulnerable to Denial of Service via deflate decompression bomb

gosaml2 is a Pure Go implementation of SAML 2.0. SAML Service Providers using this library for SAML authentication support are likely susceptible to Denial of Service attacks. A bug in this library enables attackers to craft a `deflate`-compressed request which will consume significantly more memory during processing than the size of the original request. This may eventually lead to memory exhaustion and the process being killed. The maximum compression ratio achievable with `deflate` is 1032:1, so by limiting the size of bodies passed to gosaml2, limiting the rate and concurrency of calls, and ensuring that lots of memory is available to the process it _may_ be possible to help Go's garbage collector "keep up". Implementors are encouraged not to rely on this. This issue is fixed in version 0.9.0.

Action-Not Available
Vendor-gosaml2_projectrussellhaering
Product-gosaml2gosaml2
CWE ID-CWE-409
Improper Handling of Highly Compressed Data (Data Amplification)
Details not found