CVE-2026-33204

Опубликовано: 20 мар. 2026

Источник: redhat

CVSS3: 5.9

EPSS Низкий

Описание

SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt() on attacker-controlled JWEs using PBES2 algorithms are affected. This issue has been patched in version 1.1.1.

A flaw was found in SimpleJWT, a PHP library for JSON Web Tokens. An unauthenticated attacker can exploit this vulnerability by tampering with JSON Web Encryption (JWE) headers when Password-Based Key Derivation Function 2 (PBES2) algorithms are in use. This can lead to a Denial of Service (DoS) if an application calls JWE::decrypt() on attacker-controlled JWEs, making the affected application unavailable.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat Ansible Automation Platform 2	python3.11-djangorestframework-simplejwt	Fix deferred
Red Hat Ansible Automation Platform 2	python3.12-djangorestframework-simplejwt	Fix deferred
Red Hat Ansible Automation Platform 2	python3x-djangorestframework-simplejwt	Fix deferred
Red Hat Ansible Automation Platform 2	python-djangorestframework-simplejwt	Fix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-325

https://bugzilla.redhat.com/show_bug.cgi?id=2449822SimpleJWT: SimpleJWT: Denial of Service via JWE header tampering

EPSS

Процентиль: 18%

0.00057

Низкий

5.9 Medium

CVSS3

Связанные уязвимости

CVE-2026-33204

CVSS3: 7.5

nvd

11 дней назад

GHSA-xw36-67f8-339x