CVE-2026-48990
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
The joserfc library in versions 1.3.4 through 1.6.5 accepts oversized JWS payloads without proper length checks, potentially leading to resource exhaustion. This issue has been fixed in version 1.6.7.
Risk Assessment
Organizations using joserfc may face availability risks if applications rely on this library to verify low-trust JWS tokens.
Recommendation
It is recommended to update the joserfc library to version 1.6.7 or later to mitigate this issue.
Original NVD description (English source)
joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions 1.3.4 through 1.6.5, joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.max_payload_length, which can lead to resource exhaustion. The normal JWS compact and flattened JSON paths reject payloads above the configured payload-size limit with ExceededSizeError. The RFC7797 unencoded payload paths do not make the same check. A valid b64=false compact or flattened JSON JWS can therefore deserialize successfully with a payload larger than JWSRegistry.max_payload_length. Applications that accept lower-trust JWS values and rely on joserfc to reject oversized token content during verification have a moderate availability risk. This issue has been fixed in version 1.6.7.

