fix(deps): update dependency joserfc to v1.6.7 [security]#2054
Open
renovate[bot] wants to merge 1 commit into
Open
fix(deps): update dependency joserfc to v1.6.7 [security]#2054renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==1.6.4→==1.6.7joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization
CVE-2026-48990 / GHSA-wphv-vfrh-23q5
More information
Details
RFC7797 b64=false JWS payloads bypass JWSRegistry payload-size limits during deserialization
Summary
Testing revealed that
joserfcaccepts oversized RFC7797b64=falseJWS payloads without applyingJWSRegistry.max_payload_length.The normal JWS compact and flattened JSON paths reject payloads above the configured payload-size limit with
ExceededSizeError. The RFC7797 unencoded payload paths do not make the same check. A validb64=falsecompact or flattened JSON JWS can therefore deserialize successfully with a payload larger thanJWSRegistry.max_payload_length.This creates a moderate availability/resource-exhaustion risk for applications that accept lower-trust JWS values and rely on
joserfcto reject oversized token content during verification.Affected Product
joserfcpip1.6.51.6.5881712980934fb601bed26fe3ae1ec0b7780e6f71.3.4,1.3.5,1.4.2,1.6.2,1.6.3,1.6.4,1.6.5Vulnerability Details
In
joserfc1.6.5, the default JWS registry hasmax_payload_length = 128000and exposesvalidate_payload_size().The normal compact extraction path calls that check before base64url-decoding the payload. The RFC7797 compact path validates the header and signature segment sizes, then assigns the unencoded payload directly:
The flattened JSON RFC7797 path has the same pattern:
Neither branch calls
registry.validate_payload_size(payload_segment)before accepting the unencoded payload.Reproduction
The proof below uses only local Python APIs. It signs a payload one byte over the default limit and then compares normal JWS behavior with RFC7797
b64=falsebehavior.Requirements:
python -m pip install "joserfc==1.6.5"Run:
Self-contained proof script:
Expected output on
1.6.5includes:{ "default_max_payload_length": 128000, "payload_len": 128001, "compact": [ { "case": "normal_b64_true", "accepted": false, "exception": "ExceededSizeError" }, { "case": "rfc7797_b64_false", "accepted": true, "exception": null, "payload_len_after_deserialize": 128001 } ], "json": [ { "case": "normal_b64_true_json", "accepted": false, "exception": "ExceededSizeError" }, { "case": "rfc7797_b64_false_json", "accepted": true, "exception": null, "payload_len_after_deserialize": 128001 } ] }Version Checks
I reproduced the same differential behavior on these releases:
b64=falseover limitExceededSizeErrorExceededSizeErrorExceededSizeErrorExceededSizeErrorExceededSizeErrorExceededSizeErrorExceededSizeErrorThe exact earliest affected release may be broader. The versions above are the releases I directly tested where the JWS size-limit boundary exists and the RFC7797 path bypasses it.
Relationship to Existing Advisories
I found two related public advisories for
joserfc, but neither appears to cover this root cause.GHSA-frfh-8v73-gjg4/CVE-2025-65015describes oversized token parts being included inExceededSizeErrormessages in older release ranges. The issue described here reproduces in1.6.5and is not about exception message content. The oversized RFC7797 payload is accepted instead of raisingExceededSizeError.GHSA-w5r5-m38g-f9f9/CVE-2026-27932describes unbounded PBES2p2citeration counts during JWE decryption. The issue described here is in JWS RFC7797 payload extraction and does not involve PBES2 or JWE decryption.Workarounds
Before a fixed release is available, affected applications can reduce exposure by rejecting oversized serialized JWS inputs before passing them to
joserfc, disabling or disallowing RFC7797b64=falsetokens if not needed, and enforcing strict request/header/body size limits at the application or reverse-proxy layer.Suggested Remediation
Apply
registry.validate_payload_size(payload_segment)to RFC7797 unencoded payloads before assigning them to the JWS object in both compact and flattened JSON extraction paths. Detached RFC7797 compact payloads supplied through thepayloadargument should be checked in the same way.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
authlib/joserfc (joserfc)
v1.6.7Compare Source
🐞 Bug Fixes
View changes on GitHub
v1.6.5Compare Source
No significant changes
View changes on GitHub
Configuration
📅 Schedule: (in timezone America/Toronto)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.