CVE-2026-33204 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) found in the simplejwt PHP library developed by kelvinmo. The flaw exists in versions prior to 1.1.1 and specifically affects the handling of JSON Web Encryption (JWE) tokens when PBES2 (Password-Based Encryption Scheme 2) algorithms are used. An attacker can craft malicious JWE tokens with tampered headers that, when passed to the JWE::decrypt() function, cause excessive resource consumption on the server. This can lead to Denial of Service (DoS) by exhausting CPU or memory resources, thereby impacting the availability of applications relying on this library. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network. The root cause is insufficient validation or controls on the input JWE header fields when PBES2 algorithms are processed, allowing attackers to trigger expensive cryptographic operations repeatedly. The issue was publicly disclosed and patched in version 1.1.1 of simplejwt. No known exploits are currently reported in the wild, but the ease of exploitation and high impact on availability warrant immediate attention. This vulnerability is particularly critical for web applications that rely on simplejwt for token encryption and decryption, especially those exposed to untrusted inputs or internet-facing endpoints.

The primary impact of CVE-2026-33204 is a Denial of Service condition caused by uncontrolled resource consumption during the decryption of maliciously crafted JWEs using PBES2 algorithms. This can lead to server instability, degraded performance, or complete service outages, affecting the availability of affected applications. Organizations using vulnerable versions of simplejwt in their PHP environments risk disruption of critical services, potentially affecting user experience and business operations. Although confidentiality and integrity are not compromised, the availability impact can be severe, especially for high-traffic web services or APIs relying on JWT-based authentication or encryption. The vulnerability's ease of exploitation without authentication increases the risk of widespread attacks, including automated scanning and exploitation attempts. This can also lead to cascading effects if the affected services are part of larger distributed systems or microservices architectures. The lack of known exploits in the wild suggests the vulnerability is newly disclosed, but proactive mitigation is essential to prevent future attacks.

1. Upgrade simplejwt to version 1.1.1 or later immediately to apply the official patch that addresses this vulnerability. 2. If upgrading is not immediately possible, implement input validation and filtering to restrict or sanitize JWE tokens, especially those using PBES2 algorithms, before passing them to the JWE::decrypt() function. 3. Employ rate limiting and anomaly detection on endpoints that accept JWTs to detect and block suspicious or excessive decryption requests. 4. Monitor application logs for unusual patterns of JWE decryption failures or resource spikes indicative of exploitation attempts. 5. Consider isolating or sandboxing the decryption process to limit resource consumption impact on the main application. 6. Review and harden cryptographic configurations to avoid using PBES2 algorithms if not strictly necessary, or replace them with more secure and efficient alternatives. 7. Educate development teams about secure handling of JWTs and the risks of processing untrusted tokens without proper validation. 8. Conduct penetration testing and vulnerability scanning focusing on JWT handling to identify similar weaknesses in custom implementations.