Main Vulnerability Database Vulnerabilities #VU123913

Improper access control in jose4j - CVE-2024-29371

Published: March 12, 2026

Vulnerability identifier: #VU123913

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-29371

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: jose4j

Affected software:
jose4j

Detailed vulnerability description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.

How to mitigate CVE-2024-29371

Install updates from vendor's website.

Sources

https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack

Improper access control in jose4j - CVE-2024-29371

Detailed vulnerability description

How to mitigate CVE-2024-29371

Sources

Please verify you're human