SimpleJWT Denial-of-Service Vulnerability via JWE Header Tampering
Vulnerability
A denial-of-service vulnerability has been identified in SimpleJWT, a JSON web token library for PHP, prior to version 1.1.1. The issue arises when PBES2 algorithms are used, allowing an unauthenticated attacker to manipulate JWE headers and cause CPU exhaustion. This vulnerability affects applications that decrypt attacker-controlled JWEs with PBES2 algorithms.
Impact
Exploitation of this vulnerability leads to significant CPU exhaustion, causing the application to become unresponsive and unavailable to legitimate users.
Reproduction
To reproduce this vulnerability, upload a crafted JWE with a large 'p2c' value (over 400 billion iterations) to a server running SimpleJWT version 1.1.0. The server should be configured to accept JWE decryption requests. When the JWE is processed, the server will experience a PHP execution timeout, indicating resource exhaustion.
Remediation
Users can upgrade to SimpleJWT version 1.1.1, which addresses the vulnerability by adding validation to the 'p2c' parameter in PBES2 algorithms.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.