SimpleJWT has an Unauthenticated Denial of Service via JWE header tampering
An unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt() on attacker-controlled JWEs using PBES2 algorithms are affected.