cvedb.io
CVE-2026-39373
MEDIUM · CVSS 5.3
EPSS exploitation probability: 0%
Published 2026-04-07T20:16:32.133 · Last modified 2026-06-17T10:42:00.767

Summary

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102 limits input token size to 250KB but does not validate the decompressed output size. An unauthenticated attacker can cause memory exhaustion on memory-constrained systems. A token under the 250KB input limit can decompress to approximately 100MB. This vulnerability is fixed in 1.5.7.

Affected products

latchset — jwcrypto

Does this affect you?

Add your gear to cvedb and we'll alert you only when latchset ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.