CVE-2026-27932
CPU Exhaustion DoS in joserfc PBES2 JWE Decryption
Publication date: 2026-03-03
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hsiaoming | joserfc | to 1.6.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the joserfc Python library, which implements JSON Object Signing and Encryption (JOSE) standards. In versions 1.6.2 and earlier, an attacker can exploit a resource exhaustion flaw by sending a specially crafted JSON Web Encryption (JWE) token that uses Password-Based Encryption (PBES2) algorithms.
The vulnerability arises because the library reads the p2c (PBES2 Count) parameter from the token's protected header without validating or limiting its value. This parameter controls the number of iterations for the PBKDF2 key derivation function.
An attacker can specify an extremely large iteration count (for example, 2^31 - 1), causing the server to perform excessive CPU work during decryption, leading to a Denial of Service (DoS) via CPU exhaustion.
This affects all high-level JWE and JWT decryption interfaces in joserfc if PBES2 algorithms are permitted by the application's policy.
How can this vulnerability impact me? :
This vulnerability can lead to a Denial of Service (DoS) condition on systems using the vulnerable joserfc library.
An unauthenticated attacker can cause the server to consume excessive CPU resources by sending a maliciously crafted token with a very high iteration count for the PBKDF2 function.
As a result, legitimate users may experience degraded performance or complete service outages due to resource exhaustion.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should ensure that your application does not allow unbounded or excessively large iteration counts (p2c parameter) when decrypting JSON Web Encryption (JWE) tokens using PBES2 algorithms.
Specifically, update joserfc to a version later than 1.6.2 where this issue is fixed or implement validation to limit the maximum allowed iteration count to prevent CPU exhaustion.
Additionally, review your application's policy to restrict or disable the use of PBES2 algorithms if they are not necessary.