Platform
python
Component
joserfc
Fixed in
1.3.4
1.4.1
1.3.5
CVE-2025-65015 is a critical vulnerability affecting the joserfc Python library, specifically versions up to 1.3.4. This flaw allows attackers to inject arbitrarily large, forged JWT (JSON Web Token) payloads into Python logging systems. This can lead to sensitive information being exposed through log files or diagnostic tools like Sentry, potentially compromising application security and user data. A fix is available in version 1.3.5.
The core of the vulnerability lies in how joserfc handles ExceededSizeError exceptions during JWT decoding. When a malformed or excessively large JWT is received, the error message includes parts of the token itself. If a web server isn't properly configured to sanitize or limit the size of incoming requests, an attacker can craft a JWT that's large enough to overwhelm logging systems. This injected data, containing potentially sensitive information like user identifiers, roles, or claims, is then recorded in the logs, making it accessible to anyone with access to those logs. The impact is particularly severe in environments where logging is centralized or used for security monitoring, as the attacker can effectively poison the monitoring data.
This vulnerability was publicly disclosed on 2025-11-18. While no public proof-of-concept (PoC) has been released, the ease of exploitation – requiring only the ability to send crafted HTTP headers – suggests a potential for rapid adoption. The vulnerability's impact, information disclosure, makes it a high-priority concern. It is not currently listed on CISA KEV as of this writing.
Exploit Status
EPSS
0.07% (20% percentile)
CISA SSVC
The primary mitigation is to upgrade to joserfc version 1.3.5 or later, which addresses the vulnerability. If upgrading immediately isn't feasible, consider implementing temporary workarounds. First, ensure your web server (e.g., Nginx, Apache) is configured to limit the size of incoming request headers and bodies. This can prevent excessively large JWTs from reaching the Python application. Second, review your logging configuration to ensure that sensitive data is not being logged unnecessarily. Consider using secure logging practices, such as redacting or masking sensitive information before it's written to disk. Finally, implement input validation to reject JWTs that exceed a reasonable size limit.
Update the joserfc library to version 1.3.5 or higher, or to version 1.4.2 or higher. This will correct the uncontrolled resource consumption vulnerability caused by logging arbitrarily large JWT payloads. You can update using `pip install joserfc==1.4.2` or the latest available version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-65015 is a critical vulnerability in joserfc versions ≤1.3.4 that allows attackers to inject forged JWT payloads into Python logs, potentially exposing sensitive data.
You are affected if you are using joserfc version 1.3.4 or earlier and your application is deployed behind a web server that doesn't properly validate request sizes.
Upgrade to joserfc version 1.3.5 or later. As a temporary workaround, limit request sizes on your web server and review your logging configuration to avoid logging sensitive JWT data.
While no active exploitation has been confirmed, the ease of exploitation suggests a potential for rapid adoption.
Refer to the joserfc project's release notes and security advisories on their GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.