vulnerability
Red Hat JBoss EAP: CVE-2024-29371: Improper Restriction of Security Token Assignment
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:N/I:N/A:C) | Dec 17, 2025 | Dec 31, 2025 | Feb 5, 2026 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:C)
Published
Dec 17, 2025
Added
Dec 31, 2025
Modified
Feb 5, 2026
Description
In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression.. A flaw was found in jose4j. A remote attacker can exploit this by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. This can lead to a Denial of Service, making the service unavailable to legitimate users.
Solution
red-hat-jboss-eap-upgrade-latest
References
- CWE-1259
- CVE-2024-29371
- https://attackerkb.com/topics/CVE-2024-29371
- URL-https://access.redhat.com/security/cve/CVE-2024-29371
- URL-https://bugzilla.redhat.com/show_bug.cgi?id=2423194
- URL-https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack
- URL-https://access.redhat.com/errata/RHSA-2024:5482
- URL-https://access.redhat.com/errata/RHSA-2025:17299
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.