Home > Vulnerability Database > CVE-2024-29371

Mend.io Vulnerability Database

CVE-2024-29371

Good to know:

Date: December 16, 2025

In jose4j before 0.9.5, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.

Severity Score

7.5

Related Resources (5)

Url: https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack

Url: https://bitbucket.org/b_c/jose4j/commits/19a90a64c47bb07c4aa5462f1316d5c293d81fcf

Url: https://bitbucket.org/b_c/jose4j/wiki/Home

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-29371

Url: https://www.mend.io/vulnerability-database/CVE-2024-29371

Severity Score

7.5

Weakness Type (CWE)

Improper Restriction of Security Token Assignment

CWE-1259

Top Fix

Upgrade Version

Upgrade to version org.bitbucket.b_c:jose4j:0.9.6

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-29371

Good to know:

Date: December 16, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?