From e772877996d5be710db3acb6a01370c50bb7eefa Mon Sep 17 00:00:00 2001
From: chihlasm <michael@chihlas.com>
Date: Sun, 8 Feb 2026 14:43:13 -0500
Subject: [PATCH] fix: resolve python-jose CVEs (CVE-2024-33663,
 CVE-2024-33664)

Update python-jose from 3.3.0 to 3.5.0 to fix:
- CVE-2024-33663: Algorithm confusion with ECDSA keys (High)
- CVE-2024-33664: JWT bomb DoS via high compression ratio (High)

Remaining accepted risk: ecdsa CVE-2024-23342 (Minerva timing attack)
- No fix available (maintainer considers side-channel attacks out of scope)
- Non-exploitable in this app: JWTs use HMAC (HS256), not ECDSA signing

All 189 tests pass. npm audit: 0 vulnerabilities.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 backend/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/requirements.txt b/backend/requirements.txt
index 35081e29..984c1be7 100644
--- a/backend/requirements.txt
+++ b/backend/requirements.txt
@@ -9,7 +9,7 @@ psycopg2-binary==2.9.9
 alembic==1.18.3
 
 # Authentication
-python-jose[cryptography]==3.3.0
+python-jose[cryptography]==3.5.0
 passlib[bcrypt]==1.7.4
 bcrypt==4.1.2
 python-multipart==0.0.22
-- 
2.49.1