python-jose icon indicating copy to clipboard operation
python-jose copied to clipboard
verified publisher icon mpdavis

Fix for CVE-2024-33664. JWE limited to 250K

Open alistairwatts opened this issue 1 year ago • 9 comments

This fix for CVE-2024-33664 ensures that any incoming JWE is under 250K, which seems to be a sensible, albeit large limit. The specific fix for the "zip bomb" issue ensures that we decompress no more that 250K of data. If that limit is reached then a JWEError is raised.

There's rough symmetry here ensuring that both compressed and uncompressed JWE data is no more than 250K.

alistairwatts avatar May 07 '24 14:05 alistairwatts

Is this repository still maintained? Would be great to check and merge this PR.

omufeed avatar May 08 '24 13:05 omufeed

Thank you for this work @alistairwatts. Would love to see this PR go in.

Shinnnyshinshin avatar May 08 '24 21:05 Shinnnyshinshin

Let's try pinging @asherf and @mpdavis

CharlesPerrotMinot avatar May 10 '24 22:05 CharlesPerrotMinot

@mpdavis

smittysmee avatar May 21 '24 21:05 smittysmee

if @mpdavis does not work maybe @michaeldavis-wf will?

maciejstromich avatar May 22 '24 17:05 maciejstromich

Can you rebase your changes onto the latest master branch and force-update your branch for this PR?

twwildey avatar May 30 '24 23:05 twwildey

@alistairwatts

nicholas-quirk-mass-gov avatar Jun 03 '24 14:06 nicholas-quirk-mass-gov

@twwildey

CharlesPerrotMinot avatar Jun 03 '24 20:06 CharlesPerrotMinot

Any updates here?

phasath avatar Sep 20 '24 16:09 phasath

Right now we should be checking the length of the tokens at the API level whilst waiting for this fix? Dependabot brought me here.

BEEFF avatar Nov 13 '24 17:11 BEEFF