Listen to this Post
How the CVE Works
The vulnerability exists in Authlib’s implementation of JWE (JSON Web Encryption) when the `”zip”:”DEF”` header is used. This header signals that the ciphertext is DEFLATE-compressed. During the decryption process, the library decrypts the ciphertext and then passes the resulting data to the `DeflateZipAlgorithm.decompress` method. This method uses Python’s `zlib.decompress(data, -zlib.MAX_WBITS)` function. The critical flaw is the absence of an output size limit for this decompression call. The DEFLATE algorithm is capable of extreme compression ratios, especially for highly repetitive data like a long sequence of identical characters. Consequently, an attacker can craft a maliciously small JWE token (a few kilobytes) containing a compressed “bomb.” When the service processes this token, the `zlib.decompress` function expands this small payload into an enormous object in memory (tens or hundreds of megabytes), exhausting system RAM and CPU resources, leading to a Denial-of-Service condition.
DailyCVE Form
Platform: Authlib (Python)
Version: <=1.6.4
Vulnerability: Unbounded Decompression
Severity: Medium/High
date: 2025
Prediction: Q1 2025
What Undercode Say:
Analytics
`zlib.decompress(bomb, -zlib.MAX_WBITS)`
`DeflateZipAlgorithm.decompress`
`zip_.decompress(msg)`
How Exploit:
Craft small JWE.
Use “zip”:”DEF”.
Highly compressible payload.
Server decompresses massively.
Protection from this CVE
Reject “zip”:”DEF”.
Implement max output size.
Use joserfc library.
Apply size limits.
Impact:
Memory exhaustion.
CPU exhaustion.
Denial-of-Service.
Availability loss.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
