CVE-2025-63811 identifies a Denial-of-Service vulnerability in the jose2go library, versions 1.5.0 through 1.7.0, which is used for JSON Web Encryption (JWE) processing. The vulnerability arises when the library processes JWE tokens that have been crafted to contain an exceptionally high compression ratio. This causes excessive resource consumption during decompression, leading to exhaustion of CPU and memory resources, ultimately resulting in a denial of service. The flaw is categorized under CWE-400, indicating uncontrolled resource consumption. The attack vector is network-based, requiring no privileges or user interaction, making it relatively easy to exploit remotely. The CVSS v3.1 base score is 7.5, reflecting high severity due to the impact on availability without affecting confidentiality or integrity. No patches or fixes have been released at the time of publication, and no known exploits have been observed in the wild. The vulnerability affects applications and services that rely on jose2go for secure token handling, potentially disrupting authentication or authorization workflows. Organizations using jose2go should be aware of this risk and prepare mitigation strategies to prevent service outages.

For European organizations, the primary impact of CVE-2025-63811 is the potential disruption of services that rely on jose2go for JWE token processing. This can lead to denial-of-service conditions, causing downtime or degraded performance of critical applications, including identity management, API gateways, and secure communications. The availability impact could affect customer-facing services, internal authentication systems, and any microservices architecture components that use jose2go. Given the vulnerability does not affect confidentiality or integrity, data breaches are unlikely; however, service unavailability can lead to operational disruptions, reputational damage, and financial losses. Organizations in sectors such as finance, healthcare, and government, which often use secure token-based authentication, may face heightened risks. Additionally, the lack of patches increases exposure time, emphasizing the need for proactive defenses. The ease of remote exploitation without authentication or user interaction further elevates the threat level.

1. Monitor network traffic and application logs for anomalous JWE tokens exhibiting unusually high compression ratios or sizes. 2. Implement rate limiting and throttling on endpoints that process JWE tokens to reduce the risk of resource exhaustion. 3. Employ Web Application Firewalls (WAFs) or API gateways capable of detecting and blocking suspicious token payloads. 4. Where possible, disable or restrict support for compressed JWE tokens until a patch is available. 5. Engage with the jose2go maintainers or community to track patch releases and apply updates promptly once available. 6. Conduct thorough testing of token processing components under load to identify potential resource exhaustion scenarios. 7. Consider deploying resource quotas or container limits to prevent a single process from consuming excessive system resources. 8. Educate development and security teams about this vulnerability to ensure secure token handling practices.