chihlasm/resolutionflow
1
0
Fork 0
Code Issues 23 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: resolve python-jose CVEs (CVE-2024-33663, CVE-2024-33664)

Browse Source 
Update python-jose from 3.3.0 to 3.5.0 to fix:
- CVE-2024-33663: Algorithm confusion with ECDSA keys (High)
- CVE-2024-33664: JWT bomb DoS via high compression ratio (High)

Remaining accepted risk: ecdsa CVE-2024-23342 (Minerva timing attack)
- No fix available (maintainer considers side-channel attacks out of scope)
- Non-exploitable in this app: JWTs use HMAC (HS256), not ECDSA signing

All 189 tests pass. npm audit: 0 vulnerabilities.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
chihlasm
2026-02-08 14:43:13 -05:00
parent e5f5415915
commit e772877996
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
backend/requirements.txt
View File

@@ -9,7 +9,7 @@ psycopg2-binary==2.9.9
alembic==1.18.3
# Authentication
python-jose[cryptography]==3.3.0
python-jose[cryptography]==3.5.0
passlib[bcrypt]==1.7.4
bcrypt==4.1.2
python-multipart==0.0.22