Description
joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.max_payload_length, which can lead to resource exhaustion. The normal JWS compact and flattened JSON paths reject payloads above the configured payload-size limit with ExceededSizeError. The RFC7797 unencoded payload paths do not make the same check. A valid b64=false compact or flattened JSON JWS can therefore deserialize successfully with a payload larger than JWSRegistry.max_payload_length. Applications that accept lower-trust JWS values and rely on joserfc to reject oversized token content during verification have a moderate availability risk. This issue has been fixed in version 1.6.7.
Published: 2026-06-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when joserfc accepts oversized JWS payloads encoded with b64=false (RFC7797 unencoded payload). In affected releases the payload size check governed by JWSRegistry.max_payload_length is bypassed for these payloads, allowing a malicious actor to embed a very large payload. During deserialization the library consumes excessive memory or processing time, leading to resource exhaustion. This is a classic uncontrolled resource consumption issue (CWE‑400) and allocation without bounds (CWE‑770).

Affected Systems

Authlib joserfc 1.3.4 through 1.6.5 are affected. The fix was released in version 1.6.7; applications that depend on this library and that accept lower‑trust JWS values are at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of < 1% shows a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves forging a JWS token with b64=false and a very large payload, then presenting it to an application that uses joserfc for token verification. If the application accepts the token, the oversized payload triggers resource exhaustion and can degrade availability.

Generated by OpenCVE AI on June 18, 2026 at 19:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade joserfc to version 1.6.7 or later to enforce payload size limits on RFC7797 b64=false JWS.
  • Re‑configure JWSRegistry.max_payload_length in the application configuration to enforce a reasonable size limit for all accepted tokens.
  • Audit custom JWT verification logic to ensure that unencoded payloads are checked against the configured limit and adjust any code that bypasses this check.

Generated by OpenCVE AI on June 18, 2026 at 19:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Authlib
Authlib joserfc
Vendors & Products Authlib
Authlib joserfc

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.max_payload_length, which can lead to resource exhaustion. The normal JWS compact and flattened JSON paths reject payloads above the configured payload-size limit with ExceededSizeError. The RFC7797 unencoded payload paths do not make the same check. A valid b64=false compact or flattened JSON JWS can therefore deserialize successfully with a payload larger than JWSRegistry.max_payload_length. Applications that accept lower-trust JWS values and rely on joserfc to reject oversized token content during verification have a moderate availability risk. This issue has been fixed in version 1.6.7.
Title joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization
Weaknesses CWE-400
CWE-770
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Authlib Joserfc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T12:51:59.900Z

Reserved: 2026-05-26T23:26:07.975Z

Link: CVE-2026-48990

cve-icon Vulnrichment

Updated: 2026-06-18T12:51:36.906Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:30:15Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-770

    Allocation of Resources Without Limits or Throttling