Moderate severityNVD Advisory· Published Sep 7, 2022· Updated Apr 22, 2025

JOSE vulnerable to resource exhaustion via specifically crafted JWE

CVE-2022-36083

Description

JOSE is "JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS with no dependencies using runtime's native crypto in Node.js, Browser, Cloudflare Workers, Electron, and Deno. The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named p2c PBES2 Count, which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key. The purpose of this parameter is to intentionally slow down the key derivation function in order to make password brute-force and dictionary attacks more expensive. This makes the PBES2 algorithms unsuitable for situations where the JWE is coming from an untrusted source: an adversary can intentionally pick an extremely high PBES2 Count value, that will initiate a CPU-bound computation that may take an unreasonable amount of time to finish. Under certain conditions, it is possible to have the user's environment consume unreasonable amount of CPU time. The impact is limited only to users utilizing the JWE decryption APIs with symmetric secrets to decrypt JWEs from untrusted parties who do not limit the accepted JWE Key Management Algorithms (alg Header Parameter) using the keyManagementAlgorithms (or algorithms in v1.x) decryption option or through other means. The v1.28.2, v2.0.6, v3.20.4, and v4.9.2 releases limit the maximum PBKDF2 iteration count to 10000 by default. It is possible to adjust this limit with a newly introduced maxPBES2Count decryption option. If users are unable to upgrade their required library version, they have two options depending on whether they expect to receive JWEs using any of the three PBKDF2-based JWE key management algorithms. They can use the keyManagementAlgorithms decryption option to disable accepting PBKDF2 altogether, or they can inspect the JOSE Header prior to using the decryption API and limit the PBKDF2 iteration count (p2c Header Parameter).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The jose library allows attackers to cause CPU exhaustion by crafting a JWE with an extremely high PBKDF2 iteration count, affecting symmetric JWE decryption.

Vulnerability

Overview

CVE-2022-36083 is a resource exhaustion vulnerability in the jose library, a JavaScript module for JSON Web Encryption (JWE) and related standards. The PBKDF2-based JWE key management algorithms (PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW) rely on the p2c header parameter to specify the number of PBKDF2 iterations. An attacker can craft a JWE with an arbitrarily high p2c value, causing the decryption process to consume excessive CPU time during key derivation [1][4].

Exploitation

Conditions

Exploitation is possible when an application uses the JWE decryption APIs with symmetric secrets to decrypt JWEs from untrusted sources. The attacker must be able to supply a malicious JWE that the application attempts to decrypt. If the application does not restrict accepted key management algorithms via the keyManagementAlgorithms option, the PBKDF2-based algorithms are available and the high p2c value is honored [1][4]. The attack is trivial to execute and requires no authentication beyond the ability to send a crafted JWE.

Impact

Successful exploitation results in a denial-of-service (DoS) condition where the target environment's CPU is tied up for an unreasonable duration, potentially degrading service availability or causing timeouts. The impact is limited to users who decrypt JWEs from untrusted parties without limiting the accepted algorithms or the PBKDF2 iteration count [1][4].

Mitigation

The jose maintainers released patches in versions v1.28.2, v2.0.6, v3.20.4, and v4.9.2 that limit the default maximum PBKDF2 iteration count to 10,000. Users can further adjust this limit via the new maxPBES2Count decryption option. For those unable to upgrade, workarounds include using the keyManagementAlgorithms option to exclude PBKDF2 algorithms or inspecting the p2c header prior to decryption [1][3][4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
josenpm	>= 1.0.0, < 1.28.2	1.28.2
jose-browser-runtimenpm	>= 3.0.0, < 3.20.4	3.20.4
jose-node-cjs-runtimenpm	>= 3.0.0, < 3.20.4	3.20.4
jose-node-esm-runtimenpm	>= 3.0.0, < 3.20.4	3.20.4
josenpm	>= 2.0.0, < 2.0.6	2.0.6
josenpm	>= 3.0.0, < 3.20.4	3.20.4
josenpm	>= 4.0.0, < 4.9.2	4.9.2
jose-browser-runtimenpm	>= 4.0.0, < 4.9.2	4.9.2
jose-node-cjs-runtimenpm	>= 4.0.0, < 4.9.2	4.9.2
jose-node-esm-runtimenpm	>= 4.0.0, < 4.9.2	4.9.2

Affected products

ghsa-coords4 versions
pkg:npm/jose pkg:npm/jose-browser-runtime pkg:npm/jose-node-cjs-runtime pkg:npm/jose-node-esm-runtime
>= 1.0.0, < 1.28.2+ 3 more
- (no CPE)range: >= 1.0.0, < 1.28.2
- (no CPE)range: >= 3.0.0, < 3.20.4
- (no CPE)range: >= 3.0.0, < 3.20.4
- (no CPE)range: >= 3.0.0, < 3.20.4
Panva/Josecpe-rescue
Range: >= 1.0, < 1.28.2

Patches

03d6d013bf6e

fix: limit default PBES2 alg's computational expense

https://github.com/panva/joseFilip SkokanAug 31, 2022via ghsa

commit

4 files changed · +31 −6

src/jwe/flattened/decrypt.ts+2 −2 modified

@@ -188,9 +188,9 @@ export async function flattenedDecrypt(
 
   let cek: KeyLike | Uint8Array
   try {
-    cek = await decryptKeyManagement(alg, key, encryptedKey, joseHeader)
+    cek = await decryptKeyManagement(alg, key, encryptedKey, joseHeader, options)
   } catch (err) {
-    if (err instanceof TypeError) {
+    if (err instanceof TypeError || err instanceof JWEInvalid || err instanceof JOSENotSupported) {
       throw err
     }
     // https://www.rfc-editor.org/rfc/rfc7516#section-11.5

src/lib/decrypt_key_management.ts+7 −1 modified

@@ -4,7 +4,7 @@ import { decrypt as pbes2Kw } from '../runtime/pbes2kw.js'
 import { decrypt as rsaEs } from '../runtime/rsaes.js'
 import { decode as base64url } from '../runtime/base64url.js'
 
-import type { JWEHeaderParameters, KeyLike, JWK } from '../types.d'
+import type { DecryptOptions, JWEHeaderParameters, KeyLike, JWK } from '../types.d'
 import { JOSENotSupported, JWEInvalid } from '../util/errors.js'
 import { bitLength as cekLength } from '../lib/cek.js'
 import { importJWK } from '../key/import.js'
@@ -17,6 +17,7 @@ async function decryptKeyManagement(
   key: KeyLike | Uint8Array,
   encryptedKey: Uint8Array | undefined,
   joseHeader: JWEHeaderParameters,
+  options?: DecryptOptions,
 ): Promise<KeyLike | Uint8Array> {
   checkKeyType(alg, key, 'decrypt')
 
@@ -96,6 +97,11 @@ async function decryptKeyManagement(
       if (typeof joseHeader.p2c !== 'number')
         throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) missing or invalid`)
 
+      const p2cLimit = options?.maxPBES2Count || 10_000
+
+      if (joseHeader.p2c > p2cLimit)
+        throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds`)
+
       if (typeof joseHeader.p2s !== 'string')
         throw new JWEInvalid(`JOSE Header "p2s" (PBES2 Salt) missing or invalid`)

src/types.d.ts+7 −0 modified

@@ -401,6 +401,13 @@ export interface DecryptOptions extends CritOption {
    * with compressed plaintext.
    */
   inflateRaw?: InflateFunction
+
+  /**
+   * (PBES2 Key Management Algorithms only) Maximum allowed "p2c" (PBES2 Count) Header Parameter
+   * value. The PBKDF2 iteration count defines the algorithm's computational expense. By default
+   * this value is set to 10000.
+   */
+  maxPBES2Count?: number
 }
 
 /** JWE Deflate option. */

test/jwe/flattened.decrypt.test.mjs+15 −3 modified

@@ -1,6 +1,6 @@
 import test from 'ava'
 import * as crypto from 'crypto'
-import { root } from '../dist.mjs'
+import { root, conditional } from '../dist.mjs'
 
 const { FlattenedEncrypt, flattenedDecrypt, base64url } = await import(root)
 
@@ -177,8 +177,8 @@ test('JWE format validation', async (t) => {
     jwe.encrypted_key = 'foo'
 
     await t.throwsAsync(flattenedDecrypt(jwe, t.context.secret), {
-      message: 'decryption operation failed',
-      code: 'ERR_JWE_DECRYPTION_FAILED',
+      message: 'Encountered unexpected JWE Encrypted Key',
+      code: 'ERR_JWE_INVALID',
     })
   }
 })
@@ -239,3 +239,15 @@ test('decrypt empty data (CBC)', async (t) => {
   const { plaintext } = await flattenedDecrypt(jwe, new Uint8Array(32))
   t.is(plaintext.byteLength, 0)
 })
+
+conditional({ electron: 0 })('decrypt PBES2 p2c limit', async (t) => {
+  const jwe = await new FlattenedEncrypt(new Uint8Array(0))
+    .setProtectedHeader({ alg: 'PBES2-HS256+A128KW', enc: 'A128CBC-HS256' })
+    .setKeyManagementParameters({ p2c: 2049 })
+    .encrypt(new Uint8Array(32))
+
+  await t.throwsAsync(flattenedDecrypt(jwe, new Uint8Array(32), { maxPBES2Count: 2048 }), {
+    message: 'JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds',
+    code: 'ERR_JWE_INVALID',
+  })
+})

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-jv3g-j58f-9mq9ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-36083ghsaADVISORY
github.com/panva/jose/commit/03d6d013bf6e070e85adfe5731f526978e3e8e4dghsax_refsource_MISCWEB
github.com/panva/jose/releases/tag/v4.9.2ghsax_refsource_MISCWEB
github.com/panva/jose/security/advisories/GHSA-jv3g-j58f-9mq9ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000