Open alistairwatts opened 5 months ago
Is this repository still maintained? Would be great to check and merge this PR.
Thank you for this work @alistairwatts. Would love to see this PR go in.
Let's try pinging @asherf and @mpdavis
@mpdavis
if @mpdavis does not work maybe @michaeldavis-wf will?
Can you rebase your changes onto the latest master
branch and force-update your branch for this PR?
@alistairwatts
@twwildey
Any updates here?
This fix for CVE-2024-33664 ensures that any incoming JWE is under 250K, which seems to be a sensible, albeit large limit. The specific fix for the "zip bomb" issue ensures that we decompress no more that 250K of data. If that limit is reached then a JWEError is raised.
There's rough symmetry here ensuring that both compressed and uncompressed JWE data is no more than 250K.