CVE-2025-65015 - Vulnerability Details

Source	ID	Title
Github GHSA	GHSA-frfh-8v73-gjg4	joserfc has Possible Uncontrolled Resource Consumption Vulnerability Triggered by Logging Arbitrarily Large JWT Token Payloads

Link	Providers
https://github.com/authlib/joserfc/commit/63932f169d924caffafa761af2122b82059017f7
https://github.com/authlib/joserfc/commit/673c8743fd0605b0e1de6452be6cba75f44e466b
https://github.com/authlib/joserfc/releases/tag/1.3.5
https://github.com/authlib/joserfc/releases/tag/1.4.2
https://github.com/authlib/joserfc/security/advisories/GHSA-frfh-8v73-gjg4

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Type	Values Removed	Values Added
Description		joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions from 1.3.3 to before 1.3.5 and from 1.4.0 to before 1.4.2, the ExceededSizeError exception messages are embedded with non-decoded JWT token parts and may cause Python logging to record an arbitrarily large, forged JWT payload. In situations where a misconfigured — or entirely absent — production-grade web server sits in front of a Python web application, an attacker may be able to send arbitrarily large bearer tokens in the HTTP request headers. When this occurs, Python logging or diagnostic tools (e.g., Sentry) may end up processing extremely large log messages containing the full JWT header during the joserfc.jwt.decode() operation. The same behavior also appears when validating claims and signature payload sizes, as the library raises joserfc.errors.ExceededSizeError() with the full payload embedded in the exception message. Since the payload is already fully loaded into memory at this stage, the library cannot prevent or reject it. This issue has been patched in versions 1.3.5 and 1.4.2.
Title		joserfc has Possible Uncontrolled Resource Consumption Vulnerability Triggered by Logging Arbitrarily Large JWT Token Payloads
Weaknesses		CWE-770
References		https://github.com/authlib/joserfc/commit/63932f169d924caffafa761af2122b82059017f7 https://github.com/authlib/joserfc/commit/673c8743fd0605b0e1de6452be6cba75f44e466b https://github.com/authlib/joserfc/releases/tag/1.3.5 https://github.com/authlib/joserfc/releases/tag/1.4.2 https://github.com/authlib/joserfc/security/advisories/GHSA-frfh-8v73-gjg4
Metrics		cvssV4_0 `{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-65015", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-11-13T15:36:51.680Z", "datePublished": "2025-11-18T23:07:44.328Z", "dateUpdated": "2025-11-19T17:12:04.336Z"}, "containers": {"cna": {"title": "joserfc has Possible Uncontrolled Resource Consumption Vulnerability Triggered by Logging Arbitrarily Large JWT Token Payloads", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "baseScore": 9.2, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/authlib/joserfc/security/advisories/GHSA-frfh-8v73-gjg4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/authlib/joserfc/security/advisories/GHSA-frfh-8v73-gjg4"}, {"name": "https://github.com/authlib/joserfc/commit/63932f169d924caffafa761af2122b82059017f7", "tags": ["x_refsource_MISC"], "url": "https://github.com/authlib/joserfc/commit/63932f169d924caffafa761af2122b82059017f7"}, {"name": "https://github.com/authlib/joserfc/commit/673c8743fd0605b0e1de6452be6cba75f44e466b", "tags": ["x_refsource_MISC"], "url": "https://github.com/authlib/joserfc/commit/673c8743fd0605b0e1de6452be6cba75f44e466b"}, {"name": "https://github.com/authlib/joserfc/releases/tag/1.3.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/authlib/joserfc/releases/tag/1.3.5"}, {"name": "https://github.com/authlib/joserfc/releases/tag/1.4.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/authlib/joserfc/releases/tag/1.4.2"}], "affected": [{"vendor": "authlib", "product": "joserfc", "versions": [{"version": ">= 1.3.3, < 1.3.5", "status": "affected"}, {"version": ">= 1.4.0, < 1.4.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-11-18T23:07:44.328Z"}, "descriptions": [{"lang": "en", "value": "joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions from 1.3.3 to before 1.3.5 and from 1.4.0 to before 1.4.2, the ExceededSizeError exception messages are embedded with non-decoded JWT token parts and may cause Python logging to record an arbitrarily large, forged JWT payload. In situations where a misconfigured \u2014 or entirely absent \u2014 production-grade web server sits in front of a Python web application, an attacker may be able to send arbitrarily large bearer tokens in the HTTP request headers. When this occurs, Python logging or diagnostic tools (e.g., Sentry) may end up processing extremely large log messages containing the full JWT header during the joserfc.jwt.decode() operation. The same behavior also appears when validating claims and signature payload sizes, as the library raises joserfc.errors.ExceededSizeError() with the full payload embedded in the exception message. Since the payload is already fully loaded into memory at this stage, the library cannot prevent or reject it. This issue has been patched in versions 1.3.5 and 1.4.2."}], "source": {"advisory": "GHSA-frfh-8v73-gjg4", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/authlib/joserfc/security/advisories/GHSA-frfh-8v73-gjg4", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-19T17:11:59.909842Z", "id": "CVE-2025-65015", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-19T17:12:04.336Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "joserfc has Possible Uncontrolled Resource Consumption Vulnerability Triggered by Logging Arbitrarily Large JWT Token Payloads", "source": {"advisory": "GHSA-frfh-8v73-gjg4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.2, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "authlib", "product": "joserfc", "versions": [{"status": "affected", "version": ">= 1.3.3, < 1.3.5"}, {"status": "affected", "version": ">= 1.4.0, < 1.4.2"}]}], "references": [{"url": "https://github.com/authlib/joserfc/security/advisories/GHSA-frfh-8v73-gjg4", "name": "https://github.com/authlib/joserfc/security/advisories/GHSA-frfh-8v73-gjg4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/authlib/joserfc/commit/63932f169d924caffafa761af2122b82059017f7", "name": "https://github.com/authlib/joserfc/commit/63932f169d924caffafa761af2122b82059017f7", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/authlib/joserfc/commit/673c8743fd0605b0e1de6452be6cba75f44e466b", "name": "https://github.com/authlib/joserfc/commit/673c8743fd0605b0e1de6452be6cba75f44e466b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/authlib/joserfc/releases/tag/1.3.5", "name": "https://github.com/authlib/joserfc/releases/tag/1.3.5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/authlib/joserfc/releases/tag/1.4.2", "name": "https://github.com/authlib/joserfc/releases/tag/1.4.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions from 1.3.3 to before 1.3.5 and from 1.4.0 to before 1.4.2, the ExceededSizeError exception messages are embedded with non-decoded JWT token parts and may cause Python logging to record an arbitrarily large, forged JWT payload. In situations where a misconfigured \u2014 or entirely absent \u2014 production-grade web server sits in front of a Python web application, an attacker may be able to send arbitrarily large bearer tokens in the HTTP request headers. When this occurs, Python logging or diagnostic tools (e.g., Sentry) may end up processing extremely large log messages containing the full JWT header during the joserfc.jwt.decode() operation. The same behavior also appears when validating claims and signature payload sizes, as the library raises joserfc.errors.ExceededSizeError() with the full payload embedded in the exception message. Since the payload is already fully loaded into memory at this stage, the library cannot prevent or reject it. This issue has been patched in versions 1.3.5 and 1.4.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-11-18T23:07:44.328Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-65015", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-19T17:11:59.909842Z"}}}], "references": [{"url": "https://github.com/authlib/joserfc/security/advisories/GHSA-frfh-8v73-gjg4", "tags": ["exploit"]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2025-11-19T17:11:52.719Z"}}]}, "cveMetadata": {"cveId": "CVE-2025-65015", "state": "PUBLISHED", "dateUpdated": "2025-11-18T23:07:44.328Z", "dateReserved": "2025-11-13T15:36:51.680Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-11-18T23:07:44.328Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions from 1.3.3 to before 1.3.5 and from 1.4.0 to before 1.4.2, the ExceededSizeError exception messages are embedded with non-decoded JWT token parts and may cause Python logging to record an arbitrarily large, forged JWT payload. In situations where a misconfigured \u2014 or entirely absent \u2014 production-grade web server sits in front of a Python web application, an attacker may be able to send arbitrarily large bearer tokens in the HTTP request headers. When this occurs, Python logging or diagnostic tools (e.g., Sentry) may end up processing extremely large log messages containing the full JWT header during the joserfc.jwt.decode() operation. The same behavior also appears when validating claims and signature payload sizes, as the library raises joserfc.errors.ExceededSizeError() with the full payload embedded in the exception message. Since the payload is already fully loaded into memory at this stage, the library cannot prevent or reject it. This issue has been patched in versions 1.3.5 and 1.4.2."}], "id": "CVE-2025-65015", "lastModified": "2025-11-19T19:14:59.327", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-11-18T23:15:56.513", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/authlib/joserfc/commit/63932f169d924caffafa761af2122b82059017f7"}, {"source": "security-advisories@github.com", "url": "https://github.com/authlib/joserfc/commit/673c8743fd0605b0e1de6452be6cba75f44e466b"}, {"source": "security-advisories@github.com", "url": "https://github.com/authlib/joserfc/releases/tag/1.3.5"}, {"source": "security-advisories@github.com", "url": "https://github.com/authlib/joserfc/releases/tag/1.4.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/authlib/joserfc/security/advisories/GHSA-frfh-8v73-gjg4"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/authlib/joserfc/security/advisories/GHSA-frfh-8v73-gjg4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact High

Exploitation poc

Automatable yes

Technical Impact partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact High

Exploitation poc

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object