CVE-2024-29370 identifies a denial-of-service (DoS) vulnerability in the python-jose library version 3.3.0, specifically within the jwe.decrypt function responsible for decrypting JSON Web Encryption tokens. The vulnerability arises when an attacker crafts a malicious JWE token that contains data compressed to an exceptionally high ratio. During the decryption process, the library attempts to decompress this token, which results in excessive memory allocation and prolonged CPU processing time. This resource exhaustion can cause the affected application or service to become unresponsive or crash, leading to a denial-of-service condition. The attack vector requires the attacker to supply a malicious JWE token to the server, which is common in systems that accept encrypted tokens for authentication or data exchange. No authentication is required to trigger the vulnerability, increasing its risk profile. Although no known exploits have been reported in the wild, the vulnerability is significant due to the potential impact on availability. The lack of a CVSS score and patch at the time of publication indicates that the vulnerability is newly disclosed and may require immediate attention from users of python-jose 3.3.0. This vulnerability highlights the risks associated with processing compressed data without adequate safeguards against decompression bombs or similar attacks.

For European organizations, the primary impact of CVE-2024-29370 is the potential for denial-of-service attacks against services that utilize python-jose 3.3.0 for JWE token decryption. This can disrupt critical authentication workflows, API gateways, or microservices relying on encrypted tokens, leading to service outages and degraded user experience. Organizations in sectors such as finance, healthcare, and government, which often use secure token-based authentication, may face operational interruptions and reputational damage. Additionally, resource exhaustion attacks can increase infrastructure costs due to elevated CPU and memory usage. The vulnerability does not directly compromise confidentiality or integrity but threatens availability, which can indirectly affect business continuity and compliance with service-level agreements and data protection regulations such as GDPR. Attackers could exploit this vulnerability to launch targeted DoS attacks, especially in environments where token validation is exposed to external inputs. The absence of known exploits suggests a window of opportunity for defenders to implement mitigations before widespread exploitation occurs.

To mitigate CVE-2024-29370, European organizations should first identify and inventory all applications and services using python-jose version 3.3.0 for JWE token processing. Immediate mitigation steps include implementing strict input validation and size limits on incoming JWE tokens to prevent processing of excessively large or suspiciously compressed tokens. Deploy rate limiting and anomaly detection on endpoints that accept JWE tokens to reduce the risk of resource exhaustion from repeated malicious requests. Monitor system resource usage closely to detect unusual spikes in memory or CPU consumption indicative of an attack. Where possible, isolate token processing in sandboxed or resource-constrained environments to limit the impact of decompression bombs. Organizations should track python-jose releases and apply patches or upgrade to fixed versions as soon as they become available. Additionally, consider employing Web Application Firewalls (WAFs) or API gateways capable of inspecting and filtering malformed or suspicious tokens before they reach backend services. Educate development teams about safe handling of compressed data and the risks of decompression-based DoS attacks.