Vulnerability Summary
| Field | Details |
|---|---|
| CVE ID | CVE-2026-27932 |
| Component | joserfc (Python JOSE / JWT cryptography library) |
| Vulnerability Type | Denial of Service (Resource Exhaustion) |
| Severity | High |
| CVSS v3.1 Score | 7.5 |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Impact | Service Availability |
| Exploitability | High |
| Public Exploit | No confirmed weaponized exploit publicly distributed |
| PoC Availability | Conceptual exploitation possible with crafted JWE token |
| CWE | CWE-770 – Allocation of Resources Without Limits |
| Affected Software | joserfc Python library |
| Affected Versions | Versions up to 1.6.2 |
| Fixed Version | 1.6.3 |
Overview
A denial-of-service vulnerability was identified in the joserfc Python library, which is commonly used to process JSON Object Signing and Encryption (JOSE) standards such as JWT, JWS, JWE, and JWK.
The issue occurs during the processing of PBES2-based encryption algorithms used in JWE tokens. During the decryption process, the implementation reads the PBES2 iteration count parameter (p2c) directly from the token header.
The iteration value determines how many times a password-based key derivation function (PBKDF2) must execute in order to generate the cryptographic key required for decryption.
In the vulnerable versions of the library, this value was not restricted or validated. Because the header of a JWE token can be controlled by the sender, a malicious actor could intentionally specify an extremely large iteration count.
When such a token is processed, the server attempts to perform the specified number of cryptographic operations. This results in excessive CPU usage, causing worker threads to stall and preventing legitimate requests from being processed.
Under sustained attack conditions, this behavior could cause a full denial of service.
Technical Details
PBES2 encryption combines PBKDF2 key derivation with symmetric encryption algorithms.
During token decryption the following parameters are processed:
alg– PBES2 algorithm identifierp2c– PBKDF2 iteration countp2s– salt value
The vulnerable workflow processes the token header in the following sequence:
- A JWE token is received by the application.
- The protected header is parsed.
- The PBES2 algorithm handler extracts the
p2cparameter. - The value is passed to the PBKDF2 function.
- The key derivation routine begins executing the specified number of iterations.
Because there is no upper bound validation, extremely large iteration values may be accepted.
Example of dangerous values:
p2c = 50000000
p2c = 100000000
p2c = 2147483647
At such values the cryptographic function may run for an extended period of time, consuming large amounts of CPU resources.
This occurs before token authentication validation, which means an attacker does not need valid credentials.
Root Cause
The vulnerability is caused by improper validation of attacker-controlled cryptographic parameters.
The iteration count (p2c) extracted from the JWE header is directly used in the PBKDF2 key derivation process without verifying whether the value is within a safe operational range.
As a result:
- CPU intensive operations are triggered
- Worker threads become blocked
- Authentication services slow down or stop responding
This behavior represents a classic algorithmic complexity denial-of-service condition.
Affected Environments
Any application that uses joserfc for JWE decryption may be affected.
Typical environments include:
- Python authentication services
- OAuth providers
- Identity management platforms
- API gateways performing token validation
- Microservices validating encrypted JWT tokens
- Cloud authentication middleware
Frameworks where the library may commonly appear:
- FastAPI
- Flask
- Django APIs
- Serverless authentication handlers
If JWE tokens using PBES2 algorithms are accepted by the application, the attack surface is present.
Attack Scenario
A typical exploitation path may occur as follows:
- An application exposes an endpoint that accepts encrypted tokens.
- The backend service processes these tokens using the joserfc library.
- An attacker generates a malicious JWE token containing an extremely large PBES2 iteration value.
- The token is sent repeatedly to the authentication endpoint.
- Each request forces the server to perform expensive PBKDF2 calculations.
- System CPU usage increases significantly.
- Legitimate authentication requests begin to fail or timeout.
In production environments with limited worker threads, only a small number of malicious requests may be required to disrupt service availability.
Proof-of-Concept (Educational)
The following example demonstrates how a malicious token header could be constructed.
This example is provided only for security testing and educational purposes.
Example JWE header:
{
"alg": "PBES2-HS256+A128KW",
"enc": "A128GCM",
"p2c": 2147483647,
"p2s": "QUFBQUFBQUFBQUFB"
}
After Base64 encoding the header may resemble:
eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJwMmMiOjIxNDc0ODM2NDcsInAycyI6IlFVRkJRVUZCIn0
When the token is submitted to a vulnerable service, the PBKDF2 routine attempts to run billions of iterations.
The resulting CPU load may cause the application process to stall.
Indicators of Exploitation
During exploitation attempts the following behaviors may be observed:
- Authentication endpoints responding slowly
- CPU utilization reaching near 100 percent
- Increased request processing latency
- Thread pool exhaustion in application servers
- Token parsing errors related to PBES2
- Sudden spikes in requests containing encrypted JWT tokens
In application traces the following function activity may appear repeatedly:
PBKDF2 key derivation
compute_derived_key
PBES2 decrypt routine
Detection
Detection should focus on identifying abnormal PBES2 iteration values within incoming JWE tokens and monitoring cryptographic processing anomalies.
Network Detection
Encrypted JWT tokens should be inspected for abnormal PBES2 parameters.
Indicators include:
- Presence of
p2cvalues significantly higher than standard security recommendations - Repeated tokens containing extremely large iteration counts
Normal PBES2 iteration ranges:
1000 – 100000
Suspicious values:
> 200000
> 500000
> 1000000
Log Sources
Detection visibility may be obtained from the following sources:
Application Logs
Authentication Service Logs
JWT Validation Logs
API Gateway Logs
Reverse Proxy Logs (Nginx / Apache)
Web Application Firewall Logs
Container Resource Metrics
Kubernetes Node Monitoring
Infrastructure Performance Monitoring
Detection Queries
Splunk
index=application_logs
("PBES2" OR "p2c")
| rex "p2c[:=]\s*(?<iteration>\d+)"
| where iteration > 100000
| stats count by src_ip iteration endpoint
Elastic / Kibana
message:("PBES2" OR "p2c")
| parse message "*p2c*: *" as p2c
| where to_long(p2c) > 100000
| stats count by source.ip, p2c
Microsoft Sentinel (KQL)
AppLogs
| where Message contains "p2c"
| extend iteration = toint(extract("p2c[:= ]+(\\d+)",1,Message))
| where iteration > 100000
| summarize count() by SourceIP, iteration, Endpoint
Generic Log Pattern Detection
p2c=1000000
p2c=5000000
p2c=2147483647
These values should be considered abnormal and investigated.
MITRE ATT&CK Mapping
| Tactic | Technique | Description |
|---|---|---|
| Impact | T1499 | Endpoint Denial of Service |
| Impact | T1499.004 | Application Exhaustion |
| Resource Development | T1587 | Development of Malicious Payload |
The attack aligns with the application exhaustion technique, where computationally expensive operations are triggered intentionally.
Mitigation
Immediate mitigation measures include:
- Upgrading the joserfc library to the patched version
- Rejecting tokens with excessive PBES2 iteration counts
- Disabling PBES2 algorithms if not required
- Implementing strict token validation policies
- Enforcing request rate limiting on authentication endpoints
- Monitoring CPU consumption spikes in authentication services
Server-side validation example:
if p2c > 100000:
reject_token()
Remediation
The vulnerability was addressed in joserfc version 1.6.3, where limits were introduced to prevent extremely large PBES2 iteration counts from being processed.
Upgrading the dependency resolves the issue.
Upgrade command:
pip install --upgrade joserfc
Official Patch / Upgrade Link
https://github.com/authlib/joserfc/releases/tag/v1.6.3
Security Considerations
Cryptographic algorithms that accept parameters from external input must always enforce strict operational limits.
Failure to validate such parameters may allow attackers to transform legitimate cryptographic functions into denial-of-service vectors.
The issue highlighted in CVE-2026-27932 demonstrates how computationally expensive algorithms, when improperly controlled, may be leveraged to disrupt authentication infrastructure and degrade application availability.
