Allocation of Resources Without Limits or Throttling Affecting joserfc package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Allocation of Resources Without Limits or Throttling vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-DEBIAN13-JOSERFC-14058754
- published20 Nov 2025
- disclosed18 Nov 2025
Introduced: 18 Nov 2025
NewCVE-2025-65015 (opens in a new tab)How to fix?
There is no fixed version for Debian:13 joserfc.
NVD Description
Note: Versions mentioned in the description apply only to the upstream joserfc package and not the joserfc package as distributed by Debian.
See How to fix? for Debian:13 relevant fixed versions and status.
joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions from 1.3.3 to before 1.3.5 and from 1.4.0 to before 1.4.2, the ExceededSizeError exception messages are embedded with non-decoded JWT token parts and may cause Python logging to record an arbitrarily large, forged JWT payload. In situations where a misconfigured — or entirely absent — production-grade web server sits in front of a Python web application, an attacker may be able to send arbitrarily large bearer tokens in the HTTP request headers. When this occurs, Python logging or diagnostic tools (e.g., Sentry) may end up processing extremely large log messages containing the full JWT header during the joserfc.jwt.decode() operation. The same behavior also appears when validating claims and signature payload sizes, as the library raises joserfc.errors.ExceededSizeError() with the full payload embedded in the exception message. Since the payload is already fully loaded into memory at this stage, the library cannot prevent or reject it. This issue has been patched in versions 1.3.5 and 1.4.2.
References
- https://security-tracker.debian.org/tracker/CVE-2025-65015
- https://github.com/authlib/joserfc/commit/63932f169d924caffafa761af2122b82059017f7
- https://github.com/authlib/joserfc/commit/673c8743fd0605b0e1de6452be6cba75f44e466b
- https://github.com/authlib/joserfc/releases/tag/1.3.5
- https://github.com/authlib/joserfc/releases/tag/1.4.2
- https://github.com/authlib/joserfc/security/advisories/GHSA-frfh-8v73-gjg4