Add advisory: python-jose JWE CBC-HMAC padding oracle (all versions through 3.5.0)

[yugui923]

New advisory submission

New advisory for a padding oracle vulnerability in python-jose's JWE CBC-HMAC decryption.

Note: The GHSA ID is a placeholder (GHSA-0000-0000-0001). Please assign a proper GHSA ID during review. The repository (mpdavis/python-jose) does not have private vulnerability reporting enabled, so this advisory is being submitted directly here.

Summary

• Package: python-jose (PyPI)
• Affected: all versions through 3.5.0 (no fix exists; project appears unmaintained)
• CWE: CWE-203 (Observable Discrepancy), CWE-354 (Improper Validation of Integrity Check Value)
• CVSS v3.1: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (5.9 — Moderate)
• CVSS v4.0: AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability details

_decrypt_and_auth() in jose/jwe.py performs PKCS#7 CBC decryption before verifying the HMAC authentication tag. Tampered ciphertext with invalid padding raises "Invalid padding bytes." before the tag check, while valid padding with a wrong tag raises "Invalid JWE Auth Tag." This observable error difference enables a classic padding oracle attack recovering the full plaintext without the decryption key (~128 × N requests where N is ciphertext length in bytes).

Additionally, the authentication tag comparison uses Python's != operator (not constant-time).

This is the same vulnerability class as CVE-2021-29443 in the Node.js jose library (GHSA-58f5-hfqc-jgch), which was fixed in 2021.

Disclosure timeline

• 2026-02-17: Maintainer contacted via email
• 2026-03-05: No response after 14+ days; repository has no SECURITY.md and no private vulnerability reporting

References

• Analogous Node.js fix: GHSA-58f5-hfqc-jgch
• Source: https://github.com/mpdavis/python-jose
• RFC 7516: https://tools.ietf.org/html/rfc7516