CVE-2025-65015 is a critical-severity allocation of resources without limits or throttling vulnerability in joserfc (pip), affecting versions >= 1.3.3, < 1.3.5. It is fixed in 1.3.5, 1.4.2.
Summary The ExceededSizeError exception messages are embedded with non-decoded JWT token parts and may cause Python logging to record an arbitrarily large, forged JWT payload. Details In situations where a misconfigured, or entirely absent, production-grade web server sits in front of a Python web application, an attacker may be able to send arbitrarily large bearer tokens in the HTTP request headers. When this occurs, Python logging or diagnostic tools (e.g., Sentry) may end up processing extremely large log messages containing the full JWT header during the joserfc.jwt.decode() operation. The same behavior also appears when validating claims and signature payload sizes, as the library raises joserfc.errors.ExceededSizeError() with the full payload embedded in the exception message. Since the payload is already fully loaded into memory at this stage, the library cannot prevent or reject it per se. It is therefore the responsibility of the underlying web server (uvicorn/h11, gunicorn, Starlette, Werkzeug, nginx...etc) to enforce limits on header sizes. For example, a FastAPI/Starlette application running without uvicorn and/or gunicorn cannot enforce header size limits on its own. With uvicorn/h11, the --h11-max-incomplete-event-size <int> option can restrict the total size of the header plus body, but not the header alone. Similarly, vLLM serve , due to its reliance on uvicorn/h11 and the need for heavy data transfer in ML inference workloads, sets a default limit of 4 MB for header plus body and is frequently increased. In practice, a robust reverse proxy (such as nginx) is typically required because it can explicitly cap maximum header size. Unfortunately, many web applications do not run behind a proper reverse proxy. Given these constraints, the joserfc library cannot safely log or embed payloads of arbitrary size. This issue is particularly subtle, as it occurs only when a maliciously crafted JWT finally reaches the Python application, a scenario that most developers will never encounter during routine development and testing. PoC Environment Ubuntu 24.04 LTS Python 3.12 Tested on joserfc version 1.4.1 Code location This behavior occurs in: joserfc/rfc7515/registry.py L102-112 joserfc/rfc7516/registry.py L103-123 Another occurrence of ExceededSizeError in joserfc/rfc7518/jwezips.py is not affected by this issue as it does not include the payload content in the exception message. Impact In scenarios where a web application does not reject excessively large HTTP header payloads, using joserfc can expose the system to an Allocation of Resources Without Limits or Throttling (CWE-770), potentially impacting disk, memory, and CPU on the application host, as well as any external log storage, ingestion pipelines or alerting services. This risk can be mitigated by removing the JWT payload from the logged content in some joserfc.errors.ExceededSizeError() exception message occurrences. It would also be beneficial for the documentation to advise deploying the library behind a robust web server or reverse proxy that correctly enforces maximum request header sizes.
The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap. Typical impact: resource exhaustion leading to denial of service.
pip
joserfc (>= 1.3.3, < 1.3.5)joserfc (>= 1.4.0, < 1.4.2)joserfc → 1.3.5 (pip)joserfc → 1.4.2 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2025-65015 is reachable in your applications. Explore open-source security for your team.
See if CVE-2025-65015 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2025-65015 in your environment →Upgrade the following packages to resolve this vulnerability:
joserfc to 1.3.5 or laterjoserfc to 1.4.2 or laterKodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2025-65015 is a critical-severity allocation of resources without limits or throttling vulnerability in joserfc (pip), affecting versions >= 1.3.3, < 1.3.5. It is fixed in 1.3.5, 1.4.2. The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap.
joserfc (pip) versions >= 1.3.3, < 1.3.5 is affected.
Yes. CVE-2025-65015 is fixed in 1.3.5, 1.4.2. Upgrade to this version or later.
Whether CVE-2025-65015 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
joserfc to 1.3.5 or laterjoserfc to 1.4.2 or later