fix: resolve python-jose security vulnerabilities #42

Merged

chihlasm merged 1 commits from fix/security-audit into main

2026-02-08 19:44:00 +00:00

Author	SHA1	Message	Date
chihlasm	e772877996	fix: resolve python-jose CVEs (CVE-2024-33663, CVE-2024-33664) Update python-jose from 3.3.0 to 3.5.0 to fix: - CVE-2024-33663: Algorithm confusion with ECDSA keys (High) - CVE-2024-33664: JWT bomb DoS via high compression ratio (High) Remaining accepted risk: ecdsa CVE-2024-23342 (Minerva timing attack) - No fix available (maintainer considers side-channel attacks out of scope) - Non-exploitable in this app: JWTs use HMAC (HS256), not ECDSA signing All 189 tests pass. npm audit: 0 vulnerabilities. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-08 14:43:13 -05:00

Author

SHA1

Message

Date

chihlasm

e772877996

fix: resolve python-jose CVEs (CVE-2024-33663, CVE-2024-33664)

Update python-jose from 3.3.0 to 3.5.0 to fix:
- CVE-2024-33663: Algorithm confusion with ECDSA keys (High)
- CVE-2024-33664: JWT bomb DoS via high compression ratio (High)

Remaining accepted risk: ecdsa CVE-2024-23342 (Minerva timing attack)
- No fix available (maintainer considers side-channel attacks out of scope)
- Non-exploitable in this app: JWTs use HMAC (HS256), not ECDSA signing

All 189 tests pass. npm audit: 0 vulnerabilities.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-08 14:43:13 -05:00

fix: resolve python-jose security vulnerabilities #42

1 Commits