CVE-2023-51775 is a denial of service vulnerability identified in the jose4j Java library, specifically affecting versions prior to 0.9.4. The flaw arises from the handling of the p2c (PBES2 Count) parameter used in password-based encryption schemes. An attacker can supply an excessively large p2c value, which causes the library to perform an inordinate number of cryptographic iterations, leading to excessive CPU consumption and effectively a denial of service condition. This vulnerability is categorized under CWE-400 (Uncontrolled Resource Consumption). The attack vector is network-based and requires low privileges, with no user interaction needed, making it relatively easy to exploit in environments where jose4j is used for cryptographic operations. The CVSS v3.1 score is 6.5, reflecting a medium severity due to the impact on availability without affecting confidentiality or integrity. No patches were linked in the provided data, but the fixed version is 0.9.4 or later. No known exploits have been reported in the wild yet, but the vulnerability poses a risk to applications relying on jose4j for secure cryptographic functions, especially those exposed to untrusted inputs.

For European organizations, this vulnerability primarily threatens the availability of services that utilize the jose4j library for cryptographic operations, such as secure token processing or encryption workflows. A successful attack can lead to denial of service by exhausting CPU resources, potentially causing application crashes or degraded performance. This can disrupt business-critical applications, especially in sectors like finance, healthcare, and government, where cryptographic security is essential. The vulnerability does not compromise data confidentiality or integrity but can indirectly affect operational continuity and service reliability. Organizations with internet-facing Java applications or APIs using jose4j are at higher risk. The medium severity indicates a moderate but non-trivial impact, emphasizing the need for timely remediation to avoid service interruptions and maintain compliance with European data protection and operational resilience regulations.

The primary mitigation is to upgrade the jose4j library to version 0.9.4 or later, where this vulnerability is addressed. If immediate upgrading is not feasible, organizations should implement input validation to restrict the p2c parameter to reasonable values, preventing excessively large iteration counts. Additionally, applying resource usage limits or timeouts on cryptographic operations can help mitigate CPU exhaustion risks. Monitoring application performance and CPU usage for anomalies can provide early detection of exploitation attempts. Network-level protections such as rate limiting and filtering suspicious requests targeting cryptographic endpoints can reduce exposure. Finally, ensure secure coding practices and regular dependency audits to identify and remediate vulnerable components promptly.