joserfc Password-Based Encryption Unbounded Iteration Count Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the joserfc library, which implements JSON Object Signing and Encryption (JOSE) standards. This vulnerability exists in versions through 1.6.2 and allows an unauthenticated attacker to cause CPU exhaustion. The issue arises when the library decrypts a JSON Web Encryption (JWE) token using Password-Based Encryption (PBES2) algorithms. joserfc reads the p2c (PBES2 Count) parameter directly from the token's protected header, which specifies the number of iterations for the PBKDF2 key derivation function. However, joserfc does not validate or limit this value, enabling an attacker to specify a very high iteration count, such as 2^31 - 1. This forces the server to use significant CPU resources to process the token. The vulnerability affects all high-level JWE and JWT decryption interfaces that allow PBES2 algorithms, as the exhaustion occurs during decryption, before any claim validation or signature verification.

Impact

Exploitation of this vulnerability leads to CPU exhaustion, causing a denial-of-service condition where the server's resources are overwhelmed, and legitimate users are unable to access the service.

Reproduction

The vulnerability can be reproduced by sending a JWE token that includes a high p2c value, such as 10 million iterations. This can be done using the joserfc library by crafting a token with an exaggerated p2c parameter and then decrypting it with a key. The decryption process will consume excessive CPU time, demonstrating the denial-of-service effect.

Remediation

Users are advised to update to joserfc version 1.6.3, where this vulnerability has been addressed by implementing a maximum limit for the p2c parameter. Additionally, applications should only enable PBES2 algorithms if necessary and enforce a strict allowlist of algorithms in their JWT/JWE policies.