Aggregates CVE and security vulnerability intelligence across all jose4j_project-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Common weakness patterns include vendor risk denial of service, with potential vendor impact application crash across vendor surface software deployment and vendor surface production workloads use cases.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2024-29371 | In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. | [email protected] | 7.5 | 0.02% | 2025-12-17 | 2026-01-23 |
| CVE-2023-51775 | The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value. | [email protected] | 6.5 | 0.43% | 2024-02-29 | 2025-11-03 |
| CVE-2023-31582 | jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less. | [email protected] | 7.5 | 0.18% | 2023-10-25 | 2024-11-21 |