CVE-2022-36083: CWE-400: Uncontrolled Resource Consumption in panva jose
JOSE is "JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS with no dependencies using runtime's native crypto in Node.js, Browser, Cloudflare Workers, Electron, and Deno. The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` PBES2 Count, which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key. The purpose of this parameter is to intentionally slow down the key derivation function in order to make password brute-force and dictionary attacks more expensive. This makes the PBES2 algorithms unsuitable for situations where the JWE is coming from an untrusted source: an adversary can intentionally pick an extremely high PBES2 Count value, that will initiate a CPU-bound computation that may take an unreasonable amount of time to finish. Under certain conditions, it is possible to have the user's environment consume unreasonable amount of CPU time. The impact is limited only to users utilizing the JWE decryption APIs with symmetric secrets to decrypt JWEs from untrusted parties who do not limit the accepted JWE Key Management Algorithms (`alg` Header Parameter) using the `keyManagementAlgorithms` (or `algorithms` in v1.x) decryption option or through other means. The `v1.28.2`, `v2.0.6`, `v3.20.4`, and `v4.9.2` releases limit the maximum PBKDF2 iteration count to `10000` by default. It is possible to adjust this limit with a newly introduced `maxPBES2Count` decryption option. If users are unable to upgrade their required library version, they have two options depending on whether they expect to receive JWEs using any of the three PBKDF2-based JWE key management algorithms. They can use the `keyManagementAlgorithms` decryption option to disable accepting PBKDF2 altogether, or they can inspect the JOSE Header prior to using the decryption API and limit the PBKDF2 iteration count (`p2c` Header Parameter).
AI Analysis
Technical Summary
CVE-2022-36083 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting the 'panva jose' library, a widely used implementation for JSON Object Signing and Encryption (JOSE) standards in JavaScript environments such as Node.js, browsers, Cloudflare Workers, Electron, and Deno. The vulnerability arises from the handling of the PBKDF2-based Password-Based Encryption Scheme 2 (PBES2) key management algorithms used in JSON Web Encryption (JWE). Specifically, the JOSE Header Parameter 'p2c' (PBES2 Count) controls the number of PBKDF2 iterations to derive the Content Encryption Key (CEK). This parameter is intended to slow down brute-force attacks by increasing computational cost. However, when JWEs are received from untrusted sources without proper restrictions, an attacker can specify an excessively high 'p2c' value, causing the decryption process to consume an unreasonable amount of CPU resources. This leads to a denial-of-service (DoS) condition by exhausting CPU cycles on the victim’s environment. The vulnerability affects versions prior to 1.28.2, 2.0.6, 3.20.4, and 4.9.2 of the jose library. Mitigations introduced in these versions include limiting the maximum PBKDF2 iteration count to 10,000 by default, with an adjustable 'maxPBES2Count' option. For users unable to upgrade, it is recommended to either disable acceptance of PBKDF2-based algorithms via the 'keyManagementAlgorithms' decryption option or pre-validate the 'p2c' header to enforce iteration count limits before decryption. Exploitation requires the victim to process JWEs from untrusted parties without such restrictions, and no authentication or user interaction is necessary beyond receiving the malicious JWE payload.
Potential Impact
The primary impact of this vulnerability is a denial-of-service condition caused by excessive CPU consumption during JWE decryption. For European organizations relying on the panva jose library in their applications—especially those processing encrypted data from external or untrusted sources—this can lead to service degradation or outages. This is particularly critical for high-availability services, APIs, or cloud-based applications where jose is used for secure token handling or encrypted communications. The vulnerability does not directly compromise confidentiality or integrity but can disrupt availability, potentially affecting business continuity and user experience. Organizations in sectors such as finance, healthcare, telecommunications, and government services, which often handle encrypted tokens or messages, may face operational risks if the vulnerability is exploited. Additionally, the CPU exhaustion could increase operational costs due to resource overuse and may trigger cascading failures in dependent systems. Since exploitation does not require authentication or user interaction, automated or large-scale attacks are feasible if attackers can deliver malicious JWEs to vulnerable endpoints.
Mitigation Recommendations
1. Upgrade the panva jose library to versions 1.28.2, 2.0.6, 3.20.4, or 4.9.2 or later, which enforce a default maximum PBKDF2 iteration count of 10,000 and provide the 'maxPBES2Count' option for customization. 2. If upgrading is not immediately possible, explicitly configure the 'keyManagementAlgorithms' decryption option to disable acceptance of PBKDF2-based JWE key management algorithms, thereby preventing processing of potentially malicious JWEs using these algorithms. 3. Implement pre-decryption validation of the JOSE header to inspect the 'p2c' parameter and reject JWEs with iteration counts exceeding a safe threshold, ensuring that untrusted inputs cannot trigger excessive CPU usage. 4. Employ rate limiting and input validation at the application or API gateway level to restrict the volume and size of incoming encrypted tokens from untrusted sources. 5. Monitor CPU usage and application performance metrics to detect abnormal spikes that may indicate exploitation attempts. 6. Educate development and security teams about the risks of accepting untrusted JWEs without algorithm restrictions and encourage secure default configurations in cryptographic libraries.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland, Belgium, Ireland
CVE-2022-36083: CWE-400: Uncontrolled Resource Consumption in panva jose
Description
JOSE is "JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS with no dependencies using runtime's native crypto in Node.js, Browser, Cloudflare Workers, Electron, and Deno. The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` PBES2 Count, which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key. The purpose of this parameter is to intentionally slow down the key derivation function in order to make password brute-force and dictionary attacks more expensive. This makes the PBES2 algorithms unsuitable for situations where the JWE is coming from an untrusted source: an adversary can intentionally pick an extremely high PBES2 Count value, that will initiate a CPU-bound computation that may take an unreasonable amount of time to finish. Under certain conditions, it is possible to have the user's environment consume unreasonable amount of CPU time. The impact is limited only to users utilizing the JWE decryption APIs with symmetric secrets to decrypt JWEs from untrusted parties who do not limit the accepted JWE Key Management Algorithms (`alg` Header Parameter) using the `keyManagementAlgorithms` (or `algorithms` in v1.x) decryption option or through other means. The `v1.28.2`, `v2.0.6`, `v3.20.4`, and `v4.9.2` releases limit the maximum PBKDF2 iteration count to `10000` by default. It is possible to adjust this limit with a newly introduced `maxPBES2Count` decryption option. If users are unable to upgrade their required library version, they have two options depending on whether they expect to receive JWEs using any of the three PBKDF2-based JWE key management algorithms. They can use the `keyManagementAlgorithms` decryption option to disable accepting PBKDF2 altogether, or they can inspect the JOSE Header prior to using the decryption API and limit the PBKDF2 iteration count (`p2c` Header Parameter).
AI-Powered Analysis
Technical Analysis
CVE-2022-36083 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting the 'panva jose' library, a widely used implementation for JSON Object Signing and Encryption (JOSE) standards in JavaScript environments such as Node.js, browsers, Cloudflare Workers, Electron, and Deno. The vulnerability arises from the handling of the PBKDF2-based Password-Based Encryption Scheme 2 (PBES2) key management algorithms used in JSON Web Encryption (JWE). Specifically, the JOSE Header Parameter 'p2c' (PBES2 Count) controls the number of PBKDF2 iterations to derive the Content Encryption Key (CEK). This parameter is intended to slow down brute-force attacks by increasing computational cost. However, when JWEs are received from untrusted sources without proper restrictions, an attacker can specify an excessively high 'p2c' value, causing the decryption process to consume an unreasonable amount of CPU resources. This leads to a denial-of-service (DoS) condition by exhausting CPU cycles on the victim’s environment. The vulnerability affects versions prior to 1.28.2, 2.0.6, 3.20.4, and 4.9.2 of the jose library. Mitigations introduced in these versions include limiting the maximum PBKDF2 iteration count to 10,000 by default, with an adjustable 'maxPBES2Count' option. For users unable to upgrade, it is recommended to either disable acceptance of PBKDF2-based algorithms via the 'keyManagementAlgorithms' decryption option or pre-validate the 'p2c' header to enforce iteration count limits before decryption. Exploitation requires the victim to process JWEs from untrusted parties without such restrictions, and no authentication or user interaction is necessary beyond receiving the malicious JWE payload.
Potential Impact
The primary impact of this vulnerability is a denial-of-service condition caused by excessive CPU consumption during JWE decryption. For European organizations relying on the panva jose library in their applications—especially those processing encrypted data from external or untrusted sources—this can lead to service degradation or outages. This is particularly critical for high-availability services, APIs, or cloud-based applications where jose is used for secure token handling or encrypted communications. The vulnerability does not directly compromise confidentiality or integrity but can disrupt availability, potentially affecting business continuity and user experience. Organizations in sectors such as finance, healthcare, telecommunications, and government services, which often handle encrypted tokens or messages, may face operational risks if the vulnerability is exploited. Additionally, the CPU exhaustion could increase operational costs due to resource overuse and may trigger cascading failures in dependent systems. Since exploitation does not require authentication or user interaction, automated or large-scale attacks are feasible if attackers can deliver malicious JWEs to vulnerable endpoints.
Mitigation Recommendations
1. Upgrade the panva jose library to versions 1.28.2, 2.0.6, 3.20.4, or 4.9.2 or later, which enforce a default maximum PBKDF2 iteration count of 10,000 and provide the 'maxPBES2Count' option for customization. 2. If upgrading is not immediately possible, explicitly configure the 'keyManagementAlgorithms' decryption option to disable acceptance of PBKDF2-based JWE key management algorithms, thereby preventing processing of potentially malicious JWEs using these algorithms. 3. Implement pre-decryption validation of the JOSE header to inspect the 'p2c' parameter and reject JWEs with iteration counts exceeding a safe threshold, ensuring that untrusted inputs cannot trigger excessive CPU usage. 4. Employ rate limiting and input validation at the application or API gateway level to restrict the volume and size of incoming encrypted tokens from untrusted sources. 5. Monitor CPU usage and application performance metrics to detect abnormal spikes that may indicate exploitation attempts. 6. Educate development and security teams about the risks of accepting untrusted JWEs without algorithm restrictions and encourage secure default configurations in cryptographic libraries.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-07-15T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9849c4522896dcbf6909
Added to database: 5/21/2025, 9:09:29 AM
Last enriched: 6/21/2025, 11:39:59 PM
Last updated: 8/18/2025, 11:34:15 PM
Views: 16
Related Threats
CVE-2025-52351: n/a
UnknownCVE-2025-52352: n/a
UnknownCVE-2025-7051: CWE-284 in N-able N-central
HighCVE-2025-57768: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Alanaktion phproject
MediumCVE-2025-55524: n/a
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.