PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48990 authlib CVE debrief

The joserfc library, used for implementing JSON Object Signing and Encryption (JOSE) standards in Python, has a moderate availability risk due to a vulnerability in versions 1.3.4 through 1.6.5. This issue arises from the library's acceptance of oversized RFC7797 b64=false JWS payloads without properly applying the JWSRegistry.max_payload_length check, unlike its handling of compact and flattened JSON paths. As a result, applications relying on joserfc for verification of lower-trust JWS values are at risk of resource exhaustion. The vulnerability has been addressed in version 1.6.7.

Vendor
authlib
Product
joserfc
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-23
Advisory published
2026-06-17
Advisory updated
2026-06-23

Who should care

Developers and security teams using the joserfc library for JOSE standards implementation in Python applications, especially those handling JSON Web Signatures (JWS) with potentially untrusted sources, should be aware of this vulnerability. Applications that verify JWS values and rely on joserfc to enforce payload size limits are at moderate risk of availability issues due to potential resource exhaustion.

Technical summary

The joserfc library incorrectly handles oversized JWS payloads in RFC7797 unencoded formats. Specifically, while compact and flattened JSON JWS paths enforce a payload size limit defined by JWSRegistry.max_payload_length, the library fails to apply this check to b64=false JWS payloads. This oversight allows a valid but oversized b64=false JWS to be deserialized successfully, potentially leading to resource exhaustion in applications that do not independently validate payload sizes. The vulnerability exists in versions 1.3.4 through 1.6.5 and is corrected in version 1.6.7.

Defensive priority

Medium

Recommended defensive actions

  • Update joserfc to version 1.6.7 or later to ensure the payload size check is properly enforced for all JWS formats.
  • Implement independent validation of JWS payload sizes for applications handling potentially untrusted JWS values.
  • Review and restrict the sources of JWS values to minimize exposure to potentially malicious or oversized payloads.
  • Monitor applications for signs of resource exhaustion that could indicate exploitation of this vulnerability.
  • Consider using alternative JOSE libraries or implementations that enforce stricter payload size limits across all JWS formats.
  • Enhance logging and monitoring to detect and respond to potential attacks exploiting this vulnerability.

Evidence notes

The information provided is based on the CVE-2026-48990 record and related sources from the National Vulnerability Database (NVD) and GitHub security advisories. The vulnerability's existence and details are confirmed by these official sources, which also provide the fix in version 1.6.7 of the joserfc library.

Official resources

public