Unbounded SCRAM iteration count allows a malicious server to cause CPU-exhaustion denial of service

A malicious, compromised, or man-in-the-middle server can supply an arbitrarily large SCRAM-SHA-256 PBKDF2 iteration count during authentication. The client runs it inline with no upper bound, pinning a tokio worker thread for minutes per connection, possibly stalling the whole async runtime...

GHSA-98QH-XJC8-98PQ pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS

Summary pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. Impact A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time...

pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS

Summary pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. Impact A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time...

PT-2026-36987

Name of the Vulnerable Software and Affected Versions net-imap affected versions not specified Description A hostile IMAP server can trigger a computational denial-of-service attack on the client process during authentication using SCRAM-SHA1 or SCRAM-SHA256. By sending an arbitrarily large PBKDF...

CVE-2026-42198

pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count...

CVE-2026-42198 pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS

pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count...

CVE-2026-42198

CVE-2026-42198 affects the pgjdbc PostgreSQL JDBC driver in versions 42.2.0 through before 42.7.11. The vulnerability is a client-side denial of service during SCRAM-SHA-256 authentication: a malicious server can force SCRAM with an extremely high iteration count, causing the client to spend unbo...

CVE-2026-27932

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption JOSE standards. In 1.6.2 and earlier, a resource exhaustion vulnerability in joserfc allows an unauthenticated attacker to cause a Denial of Service DoS via CPU exhaustion. When the library...

EUVD-2023-3143

Malicious code in bioql PyPI...

Taylored webhook validation vulnerabilities

Critical Security Advisory for Taylored npm package v7.0.7 - tag 7.0.5 Summary A series of moderate to high-severity security vulnerabilities have been identified specifically in version 7.0.7 of \taylored. These vulnerabilities reside in the "Backend-in-a-Box" template distributed with this...

jose4j: denial of service via specially crafted JWE

A flaw was found in the jose.4.j jose4j library. The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c PBES2 Count. This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose is to intentionally slow down...

jose4j: denial of service via specially crafted JWE

A flaw was found in the jose.4.j jose4j library. The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c PBES2 Count. This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its primary purpose is to intentionally slow down...

CVE-2023-49290 Malicious parameters can cause a denial of service in lestrrat-go/jwx

lestrrat-go/jwx is a Go module implementing various JWx JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE technologies. A p2c parameter set too high in JWE's algorithm PBES2- could lead to a denial of service. The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c...

UBUNTU-CVE-2022-36083

JOSE is "JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS with no dependencies using runtime's native crypto in Node.js, Browser, Cloudflare Workers, Electron, and Deno. The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named p2c PBES2 Count, which determine...

PT-2022-23172 · Jose · Jose

Name of the Vulnerable Software and Affected Versions: JOSE versions prior to v1.28.2 JOSE versions prior to v2.0.6 JOSE versions prior to v3.20.4 JOSE versions prior to v4.9.2 Description: The PBKDF2-based JWE key management algorithms in JOSE expect a JOSE Header Parameter named p2c PBES2 Count...