CVE-2025-65015
📋 TL;DR
This vulnerability in the joserfc Python library allows attackers to cause denial-of-service through memory exhaustion by sending extremely large JWT tokens. When the library processes oversized tokens, it embeds the full payload in exception messages that get logged, potentially overwhelming logging systems. This affects Python web applications using joserfc versions 1.3.3-1.3.4 or 1.4.0-1.4.1 without proper web server request size limits.
💻 Affected Systems
- joserfc Python library
📦 What is this software?
Joserfc by Hsiaoming
Joserfc by Hsiaoming
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage due to memory exhaustion, log storage overflow, and potential crash of monitoring systems like Sentry.
Likely Case
Degraded application performance, log storage exhaustion, and monitoring system disruption from oversized log messages.
If Mitigated
Minimal impact with proper web server request size limits and updated library versions.
🎯 Exploit Status
Attack requires sending oversized JWT tokens via HTTP headers, which is trivial to automate.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.5 or 1.4.2
Vendor Advisory: https://github.com/authlib/joserfc/security/advisories/GHSA-frfh-8v73-gjg4
Restart Required: Yes
Instructions:
1. Update joserfc: pip install --upgrade joserfc>=1.3.5 or joserfc>=1.4.2
2. Restart all Python applications using joserfc
3. Verify no applications are pinned to vulnerable versions
🔧 Temporary Workarounds
Configure web server request size limits
allSet maximum request header sizes in frontend web servers to prevent oversized JWT tokens from reaching the application.
nginx: client_header_buffer_size 1k; large_client_header_buffers 4 8k;
Apache: LimitRequestFieldSize 8190
uWSGI: buffer-size = 8192
Configure Python logging filters
allAdd logging filters to truncate or drop exception messages containing JWT payloads.
import logging
class JWTSizeFilter(logging.Filter):
def filter(self, record):
if 'ExceededSizeError' in str(record.msg):
record.msg = 'JWT size limit exceeded (payload truncated)'
return True
logging.getLogger().addFilter(JWTSizeFilter())
🧯 If You Can't Patch
- Implement strict request size limits at web server level (nginx/Apache) to block oversized headers
- Monitor and alert on excessive memory usage or log growth from Python applications using joserfc
🔍 How to Verify
Check if Vulnerable:
Check installed joserfc version: pip show joserfc | grep VersionCheck Version:
python -c "import joserfc; print(joserfc.__version__)"Verify Fix Applied:
Confirm version is 1.3.5+ or 1.4.2+: pip list | grep joserfc📡 Detection & Monitoring
Log Indicators:
- ExceededSizeError exceptions with large payloads
- Rapid log file growth
- Memory exhaustion warnings
- Sentry/Logging system alerts about oversized messages
Network Indicators:
- HTTP requests with Authorization headers >8KB
- Multiple failed JWT validation attempts with large tokens
SIEM Query:
source="application.logs" AND "ExceededSizeError" AND size>10000🔗 References
- https://github.com/authlib/joserfc/commit/63932f169d924caffafa761af2122b82059017f7
- https://github.com/authlib/joserfc/commit/673c8743fd0605b0e1de6452be6cba75f44e466b
- https://github.com/authlib/joserfc/releases/tag/1.3.5
- https://github.com/authlib/joserfc/releases/tag/1.4.2
- https://github.com/authlib/joserfc/security/advisories/GHSA-frfh-8v73-gjg4
- https://github.com/authlib/joserfc/security/advisories/GHSA-frfh-8v73-gjg4
