Lucene search
K

62 matches found

Github Security Blog
Github Security Blog
added 2026/01/08 10:40 p.m.8 views

Authlib has 1-click Account Takeover vulnerability

Security Advisory: Cache-Backed State Storage CSRF in Authlib The Security Labs team at Snyk has reported a security issue affecting Authlib, identified during a recent research project. The Snyk Security Labs team has identified a vulnerability that can result in a one-click account takeover in...

8.8CVSS5.8AI score0.00237EPSS
Exploits1References5Affected Software1
Veracode
Veracode
added 2025/11/10 5:51 a.m.6 views

Denial Of Service (DoS)

Authlib is vulnerable to Denial-Of-Service via Oversized JWS/JWT. The vulnerability is due to Authlib accepting base64url-encoded header or signature inputs of unbounded size, allowing attackers to send tokens with huge encoded header/signature fields that exhaust CPU and memory during verificati...

7.5CVSS7AI score0.00596EPSS
Exploits1References5Affected Software1
RedhatCVE
RedhatCVE
added 2025/10/23 10:16 p.m.7 views

CVE-2025-62706

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable...

6.5CVSS6.2AI score0.00418EPSS
Exploits1References5
OSV
OSV
added 2025/10/22 10:15 p.m.3 views

DEBIAN-CVE-2025-62706

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable...

6.5CVSS5.3AI score0.00418EPSS
Exploits1References1
CNNVD
CNNVD
added 2025/10/22 12:0 a.m.3 views

Authlib 安全漏洞

Authlib is the ultimate Python library for building OAuth and OpenID Connect servers open-sourced by Authlib. A security vulnerability exists in Authlib versions prior to 1.6.5, which stems from the JWE zip=DEF path executing an unrestricted DEFLATE decompression, which could lead to memory and C...

6.5CVSS6.4AI score0.00418EPSS
Exploits1References4
Tenable Nessus
Tenable Nessus
added 2025/10/14 12:0 a.m.8 views

Linux Distros Unpatched Vulnerability : CVE-2025-61920

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib's JOSE implementation accepts unbounded JWS/JWT heade...

7.5CVSS7.1AI score0.00596EPSS
Exploits1References2
Snyk
Snyk
added 2025/10/10 10:54 p.m.2 views

Allocation of Resources Without Limits or Throttling

Overview authlib is a library in building OAuth and OpenID Connect servers. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the DeflateZipAlgorithm.decompress function. An attacker can exhaust memory and CPU resources by submitting...

7.1CVSS7AI score0.00418EPSS
Exploits1References3
vulnersOsv
vulnersOsv
added 2025/10/10 8:26 p.m.11 views

aad-fastapi (>=1.0.0 <=1.1.2), aad-fastapi-dl37 (>=1.0.0 <=1.0.3) +268 more potentially affected by CVE-2025-61920 via authlib (>=0.10.0 <=1.6.4)

authlib PYPI version =0.10.0, =1.0.0, =1.0.0, =0.0.1, =1.0.2, =1.0.2, =1.2.0a20250730, =1.1.0, =1.2.0a20250730, =0.4.0, =0.1.0, =0.1.0a1, =1.2.0, =1.2.0a20250730, =1.2.0a20250730, =1.2.0a20250730, =1.2.0rc4 and more Source cves: CVE-2025-61920 Source advisory: OSV:GHSA-PQ5P-34CR-23V9...

7.5CVSS7AI score0.00596EPSS
Exploits1
Snyk
Snyk
added 2025/10/10 8:26 p.m.3 views

Allocation of Resources Without Limits or Throttling

Overview authlib is a library in building OAuth and OpenID Connect servers. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the extractsegment and extractheader processes. An unauthenticated attacker can exhaust system resources and...

8.7CVSS7AI score0.00596EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2025/10/10 7:25 p.m.2 views

CVE-2025-61920 Authlib is vulnerable to Denial of Service via Oversized JOSE Segments

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes...

7.5CVSS6.6AI score0.00596EPSS
Exploits1References2
CVE
CVE
added 2025/10/10 7:25 p.m.42 views

CVE-2025-61920

CVE-2025-61920 — Authlib (Python) Authlib’s JOSE implementation (prior to v1.6.5) accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url header or signature spans hundreds of megabytes. During verification, the library decodes and parses the f...

7.5CVSS6.6AI score0.00596EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2025/10/10 7:25 p.m.35 views

CVE-2025-61920 Authlib is vulnerable to Denial of Service via Oversized JOSE Segments

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes...

7.5CVSS0.00596EPSS
Exploits1References2
Debian CVE
Debian CVE
added 2025/09/22 5:28 p.m.9 views

CVE-2025-59420

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical...

7.5CVSS5.4AI score0.00244EPSS
Exploits1
CNNVD
CNNVD
added 2025/09/22 12:0 a.m.6 views

Authlib 安全漏洞

Authlib is the ultimate Python library for building OAuth and OpenID Connect servers open-sourced by Authlib. A security vulnerability exists in Authlib versions prior to 1.6.4, which stems from JWS authentication accepting tokens declaring unknown key header parameters, which could lead to polic...

7.5CVSS7.5AI score0.00244EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2025/09/22 12:0 a.m.3 views

PT-2025-38752

Name of the Vulnerable Software and Affected Versions Authlib versions prior to 1.6.4 Description Authlib’s JWS verification improperly handles tokens declaring unknown critical header parameters crit, violating RFC 7515 specifications. An attacker can create a signed token with a critical header...

7.5CVSS5.3AI score0.00244EPSS
Exploits1References28
Positive Technologies
Positive Technologies
added 2025/01/01 12:0 a.m.3 views

PT-2025-54492

Name of the Vulnerable Software and Affected Versions Authlib versions 1.6.5 and prior Description Authlib is a Python library used for building OAuth and OpenID Connect servers. A flaw exists in cache-backed state/request-token storage where it is not linked to the user session. This allows for...

8.8CVSS6.6AI score0.00237EPSS
Exploits1References32
OSV
OSV
added 2024/06/09 9:30 p.m.2 views

GHSA-5357-C2JX-V7QH Authlib has algorithm confusion with asymmetric public keys

lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. This is similar to CVE-2022-29217 and CVE-2024-33663...

7.4CVSS7.2AI score0.00382EPSS
Exploits1References8
vulnersOsv
vulnersOsv
added 2024/06/09 9:30 p.m.5 views

aad-fastapi (>=1.0.0 <=1.1.2), aad-fastapi-dl37 (>=1.0.0 <=1.0.3) +131 more potentially affected by CVE-2024-37568 via authlib (>=0.10.0 <=1.3.0)

authlib PYPI version =0.10.0, =1.0.0, =1.0.0, =0.0.1, =1.0.2, =1.0.2, =1.2.0, =0.0.1, =0.1.0, =1.0.3, =2.0.0, =0.0.59, =0.5.0, =1.6.1, =4.2.0.43, =0.1.0, =0.3.0 and more Source cves: CVE-2024-37568 Source advisory: OSV:GHSA-5357-C2JX-V7QH...

7.5CVSS7AI score0.00382EPSS
Exploits1
OSV
OSV
added 2024/06/09 7:15 p.m.4 views

UBUNTU-CVE-2024-37568

lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. This is similar to CVE-2022-29217 and CVE-2024-33663...

7.5CVSS5.8AI score0.00382EPSS
Exploits1References5
vulnersOsv
vulnersOsv
added 2024/06/09 7:15 p.m.4 views

aad-fastapi (>=1.0.0 <=1.1.2), aad-fastapi-dl37 (>=1.0.0 <=1.0.3) +131 more potentially affected by CVE-2024-37568 via authlib (>=0.10.0 <=1.3.0)

authlib PYPI version =0.10.0, =1.0.0, =1.0.0, =0.0.1, =1.0.2, =1.0.2, =1.2.0, =0.0.1, =0.1.0, =1.0.3, =2.0.0, =0.0.59, =0.5.0, =1.6.1, =4.2.0.43, =0.1.0, =0.3.0 and more Source cves: CVE-2024-37568 Source advisory: OSV:PYSEC-2024-52...

7.5CVSS7AI score0.00382EPSS
Exploits1
Rows per page
Query Builder