{"data":{"id":"7595ca58-df3a-4e7f-a2ff-1f57e8b161e2","title":"GHSA-fjrm-76x2-c4q4: JWCrypto: JWE ZIP decompression bomb","summary":"JWCrypto version 1.5.6 has a weakness in its protection against decompression bomb attacks (where compressed data expands to huge sizes). The code only checks the size of the compressed input (limiting it to 250KB), but does not check the size of the decompressed output, allowing an attacker to send a small token that expands to 100MB or more in memory, causing denial of service (a crash from running out of memory) on resource-constrained devices.","solution":"The actual solution is implemented in version 1.5.7, as noted in the resolving commit. (The source does not provide explicit details of the fix itself, only that v1.5.7 contains the corrected implementation.)","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-fjrm-76x2-c4q4","publishedAt":"2026-04-08T00:16:14.000Z","cveId":"CVE-2026-39373","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["jwcrypto@<= 1.5.6"],"affectedVendors":[],"affectedVendorsRaw":["JWCrypto"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-04-08T00:16:14.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["availability"],"aiComponentTargeted":null,"llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}