Python RCE (CVE-2026-27932)

Overview

A significant security vulnerability has been identified in the joserfc Python library, which is used for handling JSON Web Tokens (JWTs) and encryption. This flaw could allow an attacker to completely overwhelm a server’s processing power, causing it to crash or become unresponsive.

Vulnerability Explained

The joserfc library helps applications securely encrypt and sign data using standardized formats. The vulnerability exists in how the library processes encrypted tokens that use a specific password-based encryption method (PBES2).

When decrypting such a token, the library reads a parameter called p2c (PBES2 Count) from the token itself. This number tells the system how many complex mathematical calculations to perform to derive the correct decryption key. The critical failure is that the library does not check if this number is reasonable. An attacker can create a malicious token with an astronomically high count-like several billion iterations-and send it to a server. The server will then waste all its CPU resources trying to process this single, malicious request, leaving no capacity for legitimate users.

Impact on Systems

The primary impact is a Denial of Service (DoS). An unauthenticated attacker can repeatedly send these specially crafted tokens to a vulnerable application, causing:

• Severe performance degradation or complete service outage.
• Exhaustion of server CPU resources, potentially affecting other services on the same host.
• Disruption of availability for all users.

This vulnerability is rated as HIGH severity with a CVSS score of 7.5. It affects joserfc versions 1.6.2 and earlier.

Remediation and Mitigation

To protect your systems, take the following steps immediately:

1. Upgrade the Library: The most effective solution is to upgrade joserfc to version 1.6.3 or later, where a default upper limit has been applied to the p2c parameter.
2. Implement Application-Level Controls: If an immediate upgrade is not possible, configure your application to disallow the PBES2 encryption algorithms (identified as PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW). This removes the vulnerable code path entirely.
3. Apply Rate Limiting: Implement strict rate limiting on all endpoints that accept JWE or JWT tokens. This can help mitigate the impact of an attack by limiting the number of requests a single source can make.
4. Validate and Monitor: Ensure your systems are monitoring for unusual spikes in CPU usage, which can be an early indicator of an exploitation attempt.

Action Summary: Upgrade joserfc to version 1.6.3+ as the primary fix. If delayed, disable PBES2 algorithm support in your application configuration as a critical temporary mitigation.