CVE-2023-49290 is a medium-severity vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting the lestrrat-go/jwx Go module, which implements JOSE (JSON Object Signing and Encryption) standards including JWA, JWE, JWK, JWS, and JWT. The vulnerability arises from the handling of the 'p2c' parameter in the PBES2-* key management algorithms used in JWE encryption. The 'p2c' parameter specifies the number of iterations for the PBKDF2 (Password-Based Key Derivation Function 2), which is designed to slow down brute-force attacks by increasing computational cost. However, if an attacker sets this parameter to an excessively high value, it can cause the system to consume excessive CPU resources during key derivation, leading to a denial of service (DoS) condition. This vulnerability affects lestrrat-go/jwx versions prior to 1.2.27 and versions from 2.0.0 up to but not including 2.0.18. The issue has been fixed in versions 1.2.27 and 2.0.18 by limiting or properly handling the 'p2c' parameter to prevent resource exhaustion. No known exploits are currently in the wild, and no workarounds exist other than upgrading to the patched versions. The CVSS v3.1 score is 5.3 (medium), reflecting a network attack vector, no required privileges or user interaction, and impact limited to availability (denial of service). Confidentiality and integrity are not affected.

For European organizations, this vulnerability poses a risk primarily to the availability of services that rely on the lestrrat-go/jwx library for JOSE-based encryption and key management, particularly those using PBES2 algorithms with PBKDF2 iteration counts controlled by untrusted inputs. An attacker could craft malicious JWE tokens with extremely high 'p2c' values, causing excessive CPU consumption and potentially leading to service outages or degraded performance. This can disrupt authentication, authorization, or secure communication workflows that depend on JWE, impacting business continuity and user experience. While the vulnerability does not compromise data confidentiality or integrity directly, denial of service can have cascading effects, especially in critical infrastructure, financial services, or healthcare sectors prevalent in Europe. Additionally, automated systems or APIs processing JWE tokens without proper input validation are at higher risk. The absence of known exploits reduces immediate threat but does not eliminate the risk, especially as attackers may develop exploits once the vulnerability becomes widely known.

The primary and only effective mitigation is to upgrade lestrrat-go/jwx to version 1.2.27 or later, or 2.0.18 or later, depending on the version line in use. Organizations should audit their codebases and dependencies to identify usage of lestrrat-go/jwx and confirm the version deployed. Additionally, implement input validation to restrict or sanitize the 'p2c' parameter in incoming JWE tokens if feasible, rejecting tokens with suspiciously high iteration counts. Monitoring CPU usage and implementing rate limiting or throttling on endpoints that process JWE tokens can help detect and mitigate potential DoS attempts. Employing Web Application Firewalls (WAFs) with custom rules to detect anomalous JWE payloads may provide additional protection. Finally, maintain an inventory of cryptographic libraries and ensure timely patching of dependencies to reduce exposure to similar vulnerabilities.