CVE-2026-33204

Name of the Vulnerable Software and Affected Versions SimpleJWT versions prior to 1.1.1

Description A flaw exists in SimpleJWT that allows an unauthenticated attacker to cause a denial of service through manipulation of the JWE header when PBES2 algorithms are used. Specifically, the vulnerability stems from a lack of input validation on the iteration count (p2c parameter) within the PBES2 algorithm. An attacker can supply a very large value for the p2c parameter, leading to excessive CPU consumption during key derivation via the hash pbkdf2() function. This can exhaust server resources and render the application unavailable. The vulnerable code resides in the decryptKey() and generateKeyFromPassword() functions of the PBES2.php file. The attack can be triggered even with an invalid JWE, as authentication is not required before processing the header. A proof of concept demonstrates the ability to shut down a PHP development server by sending a crafted JWE with a high p2c value.

Recommendations Update to SimpleJWT version 1.1.1 or later.