CVE-2026-39373 - Vulnerability Details

- JWCrypto: JWE ZIP decompression bomb

Description

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate the decompressed output size. An unauthenticated attacker can cause memory exhaustion on memory-constrained systems. A token under the 250KB input limit can decompress to approximately 100MB. This vulnerability is fixed in 1.5.7.

Published: 2026-04-07

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

JWCrypto is a Python library implementing JSON Web Key, Signature, and Encryption. A flaw allows an unauthenticated attacker to send a crafted JWE token that is limited to 250 KB on input but can decompress to about 100 MB. When processed by the library, the large decompressed payload consumes server memory and can cause the process to crash or become unresponsive. This type of attack is a decompression bomb scenario, and the vulnerability is classified as CWE‑409 and CWE‑770.

Affected Systems

Any installation of latchset:jwcrypto before version 1.5.7 is affected. Systems that incorporate this library to handle JWTs—such as web services or authentication back‑ends—may be exposed if the library remains outdated.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity. An EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only that an attacker transmit a compliant JWE token to the vulnerable system; the attack is unauthenticated and can occur over any channel that delivers the token. On memory‑constrained servers, the resulting exhaustion can cause a denial‑of‑service condition. The likely attack vector is inferred to be any input pathway that allows the attacker to supply a large compressed JWE.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

latchset

jwcrypto

affected

Version	Status	Constraints
`< 1.5.7`	affected	—

Configuration 1 [-]

cpe:2.3:a:latchset:jwcrypto:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Latchset

Jwcrypto

100%

Version	Status	Scheme	Platform
`[0,1.5.7)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade latchset:jwcrypto to version 1.5.7 or newer, which enforces a decompressed output size limit.

Generated by OpenCVE AI on April 8, 2026 at 02:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-fjrm-76x2-c4q4	JWCrypto: JWE ZIP decompression bomb

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00077.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/latchset/jwcrypto/security/advisories/GHSA-fjrm-76x2-c4q4
https://nvd.nist.gov/vuln/detail/CVE-2026-39373
https://www.cve.org/CVERecord?id=CVE-2026-39373

History

Wed, 15 Apr 2026 17:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:latchset:jwcrypto::::::::

Wed, 08 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Latchset Latchset jwcrypto
Vendors & Products		Latchset Latchset jwcrypto

Wed, 08 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-770
References		https://nvd.nist.gov/vuln/detail/CVE-2026-39373 https://www.cve.org/CVERecord?id=CVE-2026-39373
Metrics	threat_severity `None`	threat_severity `Important`

Tue, 07 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 07 Apr 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate the decompressed output size. An unauthenticated attacker can cause memory exhaustion on memory-constrained systems. A token under the 250KB input limit can decompress to approximately 100MB. This vulnerability is fixed in 1.5.7.
Title		JWCrypto: JWE ZIP decompression bomb
Weaknesses		CWE-409
References		https://github.com/latchset/jwcrypto/security/advisories/GHSA-fjrm-76x2-c4q4
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

Subscriptions

Latchset Jwcrypto

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-07T19:35:36.071Z

Updated: 2026-04-07T20:22:57.790Z

Reserved: 2026-04-06T21:29:17.350Z

Link: CVE-2026-39373

Vulnrichment

Updated: 2026-04-07T20:22:53.956Z

NVD

Status : Analyzed

Published: 2026-04-07T20:16:32.133

Modified: 2026-04-15T17:17:58.477

Link: CVE-2026-39373

Redhat

Severity : Important

Publid Date: 2026-04-07T19:35:36Z

Links: CVE-2026-39373 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-08T19:46:13Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object