GHSA-3PRJ-6HQW-CM82: GHSA-3PRJ-6HQW-CM82: CPU Amplification Denial of Service in web-token JWT Library

GHSA-3PRJ-6HQW-CM82: CPU Amplification Denial of Service in web-token JWT Library

Vulnerability ID: GHSA-3PRJ-6HQW-CM82
CVSS Score: 8.7
Published: 2026-06-18

An uncontrolled resource consumption vulnerability in the PBES2-HS* key wrapping algorithms of the web-token JWT library allows remote, unauthenticated attackers to cause a denial of service (DoS) by sending JWE tokens with unbounded iteration counts.

TL;DR

Unbounded iteration count (p2c) in PBES2 decryption allows attackers to block PHP worker threads via highly asymmetric CPU exhaustion attacks, leading to denial of service.

---

Technical Details

• Vulnerability ID: GHSA-3PRJ-6HQW-CM82
• CWE ID: CWE-400 / CWE-770
• Attack Vector: Network
• CVSS v4 Score: 8.7 (High)
• Exploit Status: None (No active public campaigns)
• CISA KEV Status: Not Listed

Affected Systems

• web-token/jwt-library
• web-token/jwt-framework
• web-token/jwt-library: < 3.4.10 (Fixed in: 3.4.10)
• web-token/jwt-library: >= 4.0.0, < 4.0.7 (Fixed in: 4.0.7)
• web-token/jwt-library: >= 4.1.0, < 4.1.7 (Fixed in: 4.1.7)
• web-token/jwt-framework: <= 4.1.6 (Fixed in: 4.1.7)

Code Analysis

Commit: 4.1.7-p

Implement upper bound checks on PBES2 count (p2c) in key wrapping classes

diff --git a/src/Library/Encryption/Algorithm/KeyEncryption/PBES2AESKW.php b/src/Library/Encryption/Algorithm/KeyEncryption/PBES2AESKW.php
index eb9c0ad3..1faaac91 100644
--- a/src/Library/Encryption/Algorithm/KeyEncryption/PBES2AESKW.php
+++ b/src/Library/Encryption/Algorithm/KeyEncryption/PBES2AESKW.php
@@ -16,12 +16,16 @@
 use function in_array;
 use function is_int;
 use function is_string;
+use function sprintf;

 abstract readonly class PBES2AESKW implements KeyWrapping
 {
+    public const DEFAULT_MAX_COUNT = 1_000_000;
+
     public function __construct(
         private readonly int $salt_size = 64,
-        private readonly int $nb_count = 4096
+        private readonly int $nb_count = 4096,
+        private readonly int $max_count = self::DEFAULT_MAX_COUNT
     ) {
         if (! interface_exists(WrapperInterface::class)) {
             throw new RuntimeException('Please install "spomky-labs/aes-key-wrap" to use AES-KW algorithms');
@@ -139,6 +143,12 @@ protected function checkHeaderAdditionalParameters(array $header): void
         if (! is_int($header['p2c']) || $header['p2c'] <= 0) {
             throw new InvalidArgumentException('The header parameter "p2c" is not valid.');
         }
+        if ($header['p2c'] > $this->max_count) {
+            throw new InvalidArgumentException(sprintf(
+                'The header parameter "p2c" is too large. The maximum allowed value is %d.',
+                $this->max_count
+            ));
+        }
     }

Mitigation Strategies

• Upgrade the composer package web-token/jwt-library or web-token/jwt-framework to a secure version.
• Limit the maximum iteration count allowed (max_count) in the PBES2 algorithms constructor.
• Remove unused PBES2-based key encryption algorithms from the decryption AlgorithmManager.
• Implement JWE header filtering middleware to inspect and reject tokens containing excessive p2c values before starting decryption.

Remediation Steps:

1. Run 'composer update web-token/jwt-library web-token/jwt-framework' in the environment.
2. Configure the PBES2 algorithms with a safer iteration limit like 10000 in your initialization code.
3. Verify that your composer.lock lists version 3.4.10, 4.0.7, or 4.1.7 or later.

References

• GitHub Security Advisory GHSA-3PRJ-6HQW-CM82
• Repository Advisory: PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count
• GitHub Commit Diff: Security Fix Details
• FriendsOfPHP Security Advisory Database Entry
• RFC 7518 Section 4.8 - Password-Based Key Encryption with PBES2

---

Read the full report for GHSA-3PRJ-6HQW-CM82 on our website for more details including interactive diagrams and full exploit analysis.