Login Sign Up

CVE-2023-50967

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2023-50967 is a denial-of-service vulnerability in latchset jose library versions through 11. Attackers can cause excessive CPU consumption by providing a large p2c (PBES2 Count) value in cryptographic operations. This affects any application using vulnerable versions of the jose library for JSON Object Signing and Encryption.

💻 Affected Systems

Products:
  • latchset jose
Versions: All versions through 11
Operating Systems: All operating systems running vulnerable jose library
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using jose library for JWE (JSON Web Encryption) with PBES2 key derivation is vulnerable when processing untrusted input.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Jose by Latchset

View all CVEs affecting Jose →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, potentially affecting multiple services if the library is widely used in an application stack.

🟠

Likely Case

Degraded performance or temporary service disruption for applications processing malicious JOSE tokens with large p2c values.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place.

🌐 Internet-Facing: MEDIUM - Exploitation requires sending specially crafted tokens to vulnerable endpoints, but many JOSE implementations may not expose the vulnerable parameter.
🏢 Internal Only: LOW - Requires attackers to have access to internal systems or be able to inject malicious tokens into internal workflows.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward - simply send a JWE token with an extremely large p2c value to trigger CPU-intensive PBKDF2 operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 12 or later

Vendor Advisory: https://github.com/latchset/jose

Restart Required: No

Instructions:

1. Update jose library to version 12 or later. 2. For package managers: 'pip install jose>=12' or equivalent. 3. Rebuild and redeploy applications using the updated library.

🔧 Temporary Workarounds

Input validation for p2c parameter

all

Implement validation to reject JWE tokens with p2c values above a reasonable threshold (e.g., 10000).

Resource limiting

all

Implement CPU time limits or request timeouts for JOSE token processing operations.

🧯 If You Can't Patch

  • Implement strict input validation to reject JWE tokens with p2c values exceeding safe limits
  • Deploy rate limiting and monitoring for JOSE token processing endpoints

🔍 How to Verify

Check if Vulnerable:

Check jose library version in your application dependencies. If version <= 11 and application processes JWE tokens, it is vulnerable.

Check Version:

python -c "import jose; print(jose.__version__)" or check package manager (pip list | grep jose)

Verify Fix Applied:

Verify jose library version is >= 12. Test with sample JWE tokens containing various p2c values to ensure proper validation.

📡 Detection & Monitoring

Log Indicators:

  • Unusually high CPU usage during JOSE/JWE processing
  • Requests timing out during token validation
  • Multiple failed authentication attempts with malformed tokens

Network Indicators:

  • High volume of requests to JOSE/JWE endpoints
  • Requests with unusually large payloads to authentication endpoints

SIEM Query:

source=application_logs ("jose" OR "JWE" OR "p2c") AND (cpu_usage>90 OR duration>5s)

📊 Metadata

CVE ID: CVE-2023-50967
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Published: March 20, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-50967, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)