CVE-2025-65015 Common Vulnerabilities and Exposures

Upstream information

CVE-2025-65015 at MITRE

Description

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions from 1.3.3 to before 1.3.5 and from 1.4.0 to before 1.4.2, the ExceededSizeError exception messages are embedded with non-decoded JWT token parts and may cause Python logging to record an arbitrarily large, forged JWT payload. In situations where a misconfigured - or entirely absent - production-grade web server sits in front of a Python web application, an attacker may be able to send arbitrarily large bearer tokens in the HTTP request headers. When this occurs, Python logging or diagnostic tools (e.g., Sentry) may end up processing extremely large log messages containing the full JWT header during the joserfc.jwt.decode() operation. The same behavior also appears when validating claims and signature payload sizes, as the library raises joserfc.errors.ExceededSizeError() with the full payload embedded in the exception message. Since the payload is already fully loaded into memory at this stage, the library cannot prevent or reject it. This issue has been patched in versions 1.3.5 and 1.4.2.

Other Security Trackers

EUVD-2025-198059

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having important severity.

CVSS v4 Scores
CVSS detail	CNA (GitHub)	SUSE
Base Score	9.2	9.2
Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector	Network	Network
Attack Complexity	Low	Low
Attack Requirements	None	None
Privileges Required	None	None
User Interaction	None	None
Vulnerable System Confidentiality Impact	None	None
Vulnerable System Integrity Impact	None	None
Vulnerable System Availability Impact	High	High
Subsequent System Confidentiality Impact	None	None
Subsequent System Integrity Impact	None	None
Subsequent System Availability Impact	High	High
CVSSv4 Version	4.0	4.0

SUSE Bugzilla entry: 1253737 [NEW]

No SUSE Security Announcements cross referenced.

SUSE Timeline for this CVE

CVE page created: Wed Nov 19 02:02:35 2025
CVE page last modified: Wed Nov 19 12:54:44 2025