CVE-2024-29370 – This vulnerability in python-jose 3.3.0 allows ... (How to Fix)

📋 TL;DR

This vulnerability in python-jose 3.3.0 allows attackers to cause Denial-of-Service (DoS) by sending malicious JWE tokens with high compression ratios, leading to excessive memory consumption and CPU usage during decompression. Any system using python-jose 3.3.0 for JWE token processing is affected, particularly web applications and APIs that accept JWE tokens.

💻 Affected Systems

Products:

python-jose

Versions: 3.3.0 only

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using the jwe.decrypt function. Other python-jose functionality is not impacted.

📦 What is this software?

Python Jose by Python Jose Project

View all CVEs affecting Python Jose →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to memory exhaustion and CPU saturation, potentially requiring server restarts and causing extended downtime.

🟠

Likely Case

Temporary service degradation or intermittent outages affecting user experience and application performance.

🟢

If Mitigated

Minimal impact with proper rate limiting, input validation, and monitoring in place to detect and block malicious requests.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a crafted JWE token to a vulnerable endpoint. The GitHub issue includes proof-of-concept details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.0

Vendor Advisory: https://github.com/mpdavis/python-jose/issues/344

Restart Required: No

Instructions:

1. Update python-jose: pip install python-jose==3.4.0
2. Verify the update: pip show python-jose
3. Test JWE functionality to ensure compatibility.

🔧 Temporary Workarounds

Input validation and size limits

all

Implement request size limits and validate JWE tokens before processing

Rate limiting

all

Implement rate limiting on endpoints accepting JWE tokens to prevent mass exploitation

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block requests with suspicious JWE tokens
Monitor memory and CPU usage for abnormal spikes and implement alerting

🔍 How to Verify

Check if Vulnerable:

Check python-jose version: pip show python-jose | grep Version

Check Version:

pip show python-jose | grep Version

Verify Fix Applied:

Verify version is 3.4.0 or higher: pip show python-jose | grep Version

📡 Detection & Monitoring

Log Indicators:

Unusually large request sizes
Multiple failed JWE decryption attempts
Memory allocation errors in application logs

Network Indicators:

Large HTTP POST requests to JWE endpoints
Spike in request rate to authentication/decryption endpoints

SIEM Query:

source=application_logs "jwe.decrypt" AND ("memory" OR "timeout" OR "error")

📊 Metadata

CVE ID: CVE-2024-29370

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-409

EPSS Score: 0.15% exploit probability (35.5th percentile)

Published: December 17, 2025

Last Updated: January 5, 2026

🔗 References

https://github.com/mpdavis/python-jose/issues/344 Exploit,Issue Tracking,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29370, you might also want to check these: