CVE-2025-63811: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-63811 affects dvsekhvalnov jose2go versions 1.5.0 through 1.7.0. The vulnerability was discovered and disclosed on March 3, 2024, impacting the JSON Web Encryption (JWE) token processing functionality (GitHub Issue).

The vulnerability exists in the decode function of jose2go where the application fails to properly handle compressed JWE tokens. The issue specifically occurs during the decompression process of JWE tokens, where the application does not implement proper size limits for decompressed data (GitHub Issue).

When exploited, this vulnerability can lead to a Denial-of-Service (DoS) condition. An attacker can craft a JWE token with an exceptionally high compression ratio that, when processed by the server, results in significant memory allocation and processing time during decompression (GitHub Issue).

It is recommended to limit the maximum token length to 250K, following the approach adopted by the JWT library System.IdentityModel.Tokens.Jwt used in Microsoft Azure. This limitation effectively prevents attackers from exploiting the vulnerability with high compression ratio tokens (GitHub Issue).