diff -Naur python-jose-3.3.0/jose/jwe.py python-jose-3.3.0_cve/jose/jwe.py
--- python-jose-3.3.0/jose/jwe.py	2021-06-05 00:11:22.000000000 +0800
+++ python-jose-3.3.0_cve/jose/jwe.py	2024-04-26 17:33:01.319314391 +0800
@@ -76,6 +76,10 @@
         >>> jwe.decrypt(jwe_string, 'asecret128bitkey')
         'Hello, World!'
     """
+    # limit the token size to 250 KB
+    if len(jwe_str) > 250 * 1024:
+        raise JWEError("JWE string exceeds 250 KB")
+ 
     header, encoded_header, encrypted_key, iv, cipher_text, auth_tag = _jwe_compact_deserialize(jwe_str)
 
     # Verify that the implementation understands and can process all