CVE-2025-65015 is a critical resource exhaustion vulnerability in the joserfc Python library, which implements JSON Object Signing and Encryption (JOSE) standards. The flaw exists in versions 1.3.3 through before 1.3.5 and 1.4.0 through before 1.4.2. When decoding JWT tokens, if a token exceeds expected size limits, the library raises an ExceededSizeError exception embedding the entire JWT payload in the exception message. Since the payload is already fully loaded into memory during the decode operation, the library cannot prevent processing of arbitrarily large tokens. In scenarios where a Python web application uses joserfc behind a misconfigured or absent production-grade web server, an attacker can send oversized bearer tokens in HTTP headers. These large tokens cause Python logging frameworks or diagnostic tools like Sentry to process and store extremely large log messages containing the full JWT header and payload. This can lead to excessive memory consumption, disk usage, and potential denial of service conditions. The vulnerability does not require authentication or user interaction and can be exploited remotely. The issue was patched in joserfc versions 1.3.5 and 1.4.2 by preventing embedding of full payloads in exception messages and adding proper size checks. No known exploits are currently reported in the wild, but the high CVSS 4.0 score of 9.2 reflects the critical risk posed by this vulnerability.

For European organizations, this vulnerability poses a significant risk of denial of service attacks against Python web applications that rely on vulnerable joserfc versions for JWT processing. Attackers can exploit this flaw to overwhelm application memory and logging infrastructure by sending oversized JWT bearer tokens, potentially causing application crashes, degraded performance, or loss of availability. This can disrupt critical services, especially in sectors like finance, healthcare, and government where JWT-based authentication is common. Additionally, logging systems may become unreliable or corrupted due to excessively large log entries, complicating incident response and monitoring. Organizations with inadequate front-end web server configurations that do not enforce request size limits are particularly vulnerable. The lack of authentication or user interaction requirements makes exploitation easier and increases the attack surface. The vulnerability could also be leveraged as part of multi-stage attacks to distract defenders or degrade security monitoring capabilities.

1. Upgrade all instances of the joserfc library to versions 1.3.5 or 1.4.2 or later, which contain patches preventing full payload embedding in exception messages and enforce size limits. 2. Configure production-grade web servers (e.g., Nginx, Apache) or API gateways to enforce strict limits on HTTP header sizes and overall request sizes to block oversized JWT tokens before they reach the application. 3. Deploy Web Application Firewalls (WAFs) with rules to detect and block anomalously large bearer tokens or suspicious JWT structures. 4. Monitor application logs and diagnostic tools for unusually large log entries or spikes in memory/disk usage that may indicate exploitation attempts. 5. Review and harden logging configurations to limit maximum log message sizes and prevent logging of untrusted input in full. 6. Conduct security testing and code reviews to ensure no other components embed large untrusted data in exceptions or logs. 7. Educate development and operations teams about the risks of resource exhaustion via unbounded input processing and the importance of input validation and throttling.