GHSA-fjrm-76x2-c4q4: JWCrypto: JWE ZIP decompression bomb
Summary
JWCrypto version 1.5.6 has a weakness in its protection against decompression bomb attacks (where compressed data expands to huge sizes). The code only checks the size of the compressed input (limiting it to 250KB), but does not check the size of the decompressed output, allowing an attacker to send a small token that expands to 100MB or more in memory, causing denial of service (a crash from running out of memory) on resource-constrained devices.
Solution / Mitigation
The actual solution is implemented in version 1.5.7, as noted in the resolving commit. (The source does not provide explicit details of the fix itself, only that v1.5.7 contains the corrected implementation.)
Vulnerability Details
EPSS: 0.0%
April 7, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p
Original source: https://github.com/advisories/GHSA-fjrm-76x2-c4q4
First tracked: April 8, 2026 at 02:01 AM
Classified by LLM (prompt v3) · confidence: 75%