Plattform
python
Komponente
joserfc
Behoben in
1.3.4
1.4.1
1.3.5
CVE-2025-65015 is a critical vulnerability affecting the joserfc Python library, specifically versions up to 1.3.4. This flaw allows attackers to inject arbitrarily large, forged JWT (JSON Web Token) payloads into Python logging systems. This can lead to sensitive information being exposed through log files or diagnostic tools like Sentry, potentially compromising application security and user data. A fix is available in version 1.3.5.
The core impact of CVE-2025-65015 lies in the potential for information disclosure. An attacker can craft a malicious JWT payload and inject it into an HTTP request. If the joserfc library encounters an error during decoding (e.g., due to an excessively large token), the un-decoded parts of the JWT, including the payload, are included in the ExceededSizeError exception message. This message is then logged by the Python application, potentially exposing the entire JWT payload to unauthorized parties. This could include user credentials, API keys, or other sensitive data. The risk is amplified when logging systems like Sentry are in place, as they aggregate and store these error messages, creating a persistent record of the exposed data. The lack of proper sanitization before logging makes this a particularly dangerous vulnerability.
CVE-2025-65015 was publicly disclosed on 2025-11-18. There is currently no indication of active exploitation in the wild, but the vulnerability's ease of exploitation and the potential for significant data exposure make it a high-priority concern. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge given the vulnerability's nature.
Applications using joserfc for JWT handling, particularly those deployed behind web servers with inadequate input validation or those that log JWT data without proper sanitization, are at significant risk. Shared hosting environments where server configurations are less controllable are also particularly vulnerable.
• python / server:
grep -r 'joserfc.jwt.decode' /path/to/your/python/project/
journalctl -u your_app_name | grep 'ExceededSizeError'• generic web:
curl -I https://your-app.com/api/endpoint | grep 'Authorization:'disclosure
Exploit-Status
EPSS
0.07% (20% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-65015 is to upgrade the joserfc library to version 1.3.5 or later. This version includes a fix that prevents the logging of un-decoded JWT payloads. If upgrading is not immediately feasible, consider implementing a temporary workaround by disabling or restricting the logging of exception messages related to JWT decoding. Additionally, review your logging configuration to ensure that sensitive data is not being inadvertently logged. Implement input validation to limit the size of JWT tokens accepted by your application. After upgrading, confirm the fix by attempting to decode a large, crafted JWT and verifying that the payload is not included in any error messages or logs.
Aktualisieren Sie die joserfc-Bibliothek auf Version 1.3.5 oder höher oder auf Version 1.4.2 oder höher. Dies behebt die Schwachstelle bei der unkontrollierten Ressourcennutzung, die durch das Protokollieren von beliebig großen JWT-Payloads verursacht wird. Sie können aktualisieren mit `pip install joserfc==1.4.2` oder der neuesten verfügbaren Version.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-65015 is a critical vulnerability in joserfc versions ≤1.3.4 that allows attackers to inject forged JWT payloads into Python logs, potentially exposing sensitive data.
You are affected if you are using joserfc version 1.3.4 or earlier and your application is deployed behind a web server that doesn't properly validate request sizes.
Upgrade to joserfc version 1.3.5 or later. As a temporary workaround, limit request sizes on your web server and review your logging configuration to avoid logging sensitive JWT data.
While no active exploitation has been confirmed, the ease of exploitation suggests a potential for rapid adoption.
Refer to the joserfc project's release notes and security advisories on their GitHub repository for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.