CNNVD-202512-3283 Information

CNNVD ID

CNNVD-202512-3283

Related CVE

CVE-2024-29371

• CNNVD Published: 2025-12-17

Description (Chinese)

jose4j是Bitbucket开源的一个 JSON Web Token (JWT) 和 JOSE 规范套件（JWS、JWE 和 JWK）的强大且易于使用的开源实现。 jose4j 0.9.5之前版本存在安全漏洞，该漏洞源于攻击者可构造具有极高压缩率的恶意JSON Web Encryption令牌，可能导致拒绝服务攻击。

Description (English)

jose4j is a powerful and easy-to-use open source of JSON Web Token (JWT) and JSE standard packages (JWS, JWE and JWK). The previous version of jose4j 0.9.5 had a security loophole, which stemmed from the fact that the attackers could construct a malicious JSON Web Encryption token with very high compression rates, which could lead to a denial of service attack.

Hazard Level

Medium

Vulnerability Type

其他

Affected Vendor

Bitbucket

Published

2025-12-17

Last Modified

2026-02-24

References

https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack https://access.redhat.com/security/cve/cve-2024-29371

Patch

https://bitbucket.org/b_c/jose4j/src/master/