erlang-jose (aka JOSE for Erlang and Elixir) up to and including 1.11.6 allow malicious users to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value in a JOSE header.