Vulnerability CVE-2024-29371: Information

Description

In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.

Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
URL: https://nvd.nist.gov/vuln/detail/CVE-2024-29371
Published: Dec. 17, 2025
Modified: Jan. 23, 2026
Error type identifier: CWE-1259

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
kafkasisyphus4.2.0-alt24.2.0-alt4ALT-PU-2026-5782-1414376Fixed
kafkasisyphus_loongarch644.2.0-alt34.2.0-alt4ALT-PU-2026-5915-1-Fixed
kafkac10f24.2.0-alt33.9.1-alt2.c10.1ALT-PU-2026-5788-1414377Testing

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack
  • Exploit
  • Issue Tracking
  • Mitigation
BDU:2026-01020
    GHSA-3677-xxcr-wjqv
        1. cpe:2.3:a:jose4j_project:jose4j:*:*:*:*:*:*:*:*
          End excluding
          0.9.5
      VKontakte|Telegram|YouTube|Forum|ALT Linux Space|Bugzilla
      Version: v26.2.2
      Back to top