CVE-2024-29371 is a vulnerability identified in the jose4j Java library, which is widely used for handling JSON Web Encryption (JWE) tokens. The flaw exists in versions prior to 0.9.5 and allows an attacker to craft a malicious JWE token that has an exceptionally high compression ratio. When such a token is processed by a vulnerable server, the decompression step consumes excessive memory and CPU resources, causing a denial-of-service (DoS) condition. This occurs because the decompression algorithm expands the compressed data to a size far larger than the original input, overwhelming system resources. The attack does not require authentication or user interaction, making it easier to execute remotely. Although no public exploits have been reported yet, the vulnerability poses a significant risk to availability for any service relying on jose4j for secure token processing. The absence of a CVSS score indicates the need for a severity assessment based on the impact and exploitability factors. The vulnerability affects the confidentiality and integrity minimally but severely impacts availability by enabling resource exhaustion. The scope includes all systems processing JWE tokens with vulnerable jose4j versions. The vulnerability is particularly relevant for web applications, APIs, and microservices that use jose4j for encryption and token validation.

For European organizations, this vulnerability can lead to service outages and degraded performance in applications that rely on jose4j for JSON Web Encryption. Critical services such as identity providers, single sign-on systems, and API gateways using jose4j could be targeted to disrupt operations. The DoS condition can affect availability, potentially causing downtime and loss of business continuity. This may also lead to reputational damage and compliance issues, especially under regulations like GDPR that mandate service availability and data protection. Organizations in sectors such as finance, healthcare, and government, which often use secure token-based authentication, are particularly vulnerable. The lack of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits given the public disclosure. The impact is amplified in environments with high traffic volumes or limited resource capacity, common in many European enterprises and public sector deployments.

The primary mitigation is to upgrade jose4j to version 0.9.5 or later, where this vulnerability has been addressed. Organizations should audit their software dependencies to identify any usage of vulnerable jose4j versions. Implementing strict resource limits and timeouts on decompression operations can help reduce the risk of resource exhaustion. Deploying Web Application Firewalls (WAFs) with rules to detect and block anomalous JWE tokens with suspicious compression ratios can provide an additional layer of defense. Monitoring system resource usage and setting alerts for unusual spikes during token processing can enable early detection of exploitation attempts. Security teams should also review and harden token validation logic to reject malformed or suspicious tokens before decompression. Finally, organizations should maintain an incident response plan to quickly mitigate DoS attacks and communicate with stakeholders.