CVE-2026-27932

Name of the Vulnerable Software and Affected Versions joserfc versions 1.6.2 and earlier

Description joserfc is a Python library implementing JSON Object Signing and Encryption (JOSE) standards. A resource exhaustion issue in joserfc can lead to a Denial of Service (DoS) through CPU exhaustion. When decrypting a JSON Web Encryption (JWE) token using Password-Based Encryption (PBES2) algorithms, the library reads the p2c (PBES2 Count) parameter from the token’s protected header without validation. An attacker can specify a large iteration count, forcing the server to expend significant CPU resources during token processing. This occurs at the JWA layer and affects all high-level JWE and JWT decryption interfaces if PBES2 algorithms are permitted by the application’s policy.

Recommendations Versions prior to 1.6.3 should be updated.