62 matches found
Authlib has 1-click Account Takeover vulnerability
Security Advisory: Cache-Backed State Storage CSRF in Authlib The Security Labs team at Snyk has reported a security issue affecting Authlib, identified during a recent research project. The Snyk Security Labs team has identified a vulnerability that can result in a one-click account takeover in...
Denial Of Service (DoS)
Authlib is vulnerable to Denial-Of-Service via Oversized JWS/JWT. The vulnerability is due to Authlib accepting base64url-encoded header or signature inputs of unbounded size, allowing attackers to send tokens with huge encoded header/signature fields that exhaust CPU and memory during verificati...
CVE-2025-62706
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable...
DEBIAN-CVE-2025-62706
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable...
Authlib 安全漏洞
Authlib is the ultimate Python library for building OAuth and OpenID Connect servers open-sourced by Authlib. A security vulnerability exists in Authlib versions prior to 1.6.5, which stems from the JWE zip=DEF path executing an unrestricted DEFLATE decompression, which could lead to memory and C...
Linux Distros Unpatched Vulnerability : CVE-2025-61920
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib's JOSE implementation accepts unbounded JWS/JWT heade...
Allocation of Resources Without Limits or Throttling
Overview authlib is a library in building OAuth and OpenID Connect servers. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the DeflateZipAlgorithm.decompress function. An attacker can exhaust memory and CPU resources by submitting...
aad-fastapi (>=1.0.0 <=1.1.2), aad-fastapi-dl37 (>=1.0.0 <=1.0.3) +268 more potentially affected by CVE-2025-61920 via authlib (>=0.10.0 <=1.6.4)
authlib PYPI version =0.10.0, =1.0.0, =1.0.0, =0.0.1, =1.0.2, =1.0.2, =1.2.0a20250730, =1.1.0, =1.2.0a20250730, =0.4.0, =0.1.0, =0.1.0a1, =1.2.0, =1.2.0a20250730, =1.2.0a20250730, =1.2.0a20250730, =1.2.0rc4 and more Source cves: CVE-2025-61920 Source advisory: OSV:GHSA-PQ5P-34CR-23V9...
Allocation of Resources Without Limits or Throttling
Overview authlib is a library in building OAuth and OpenID Connect servers. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the extractsegment and extractheader processes. An unauthenticated attacker can exhaust system resources and...
CVE-2025-61920 Authlib is vulnerable to Denial of Service via Oversized JOSE Segments
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes...
CVE-2025-61920
CVE-2025-61920 — Authlib (Python) Authlib’s JOSE implementation (prior to v1.6.5) accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url header or signature spans hundreds of megabytes. During verification, the library decodes and parses the f...
CVE-2025-61920 Authlib is vulnerable to Denial of Service via Oversized JOSE Segments
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes...
CVE-2025-59420
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical...
Authlib 安全漏洞
Authlib is the ultimate Python library for building OAuth and OpenID Connect servers open-sourced by Authlib. A security vulnerability exists in Authlib versions prior to 1.6.4, which stems from JWS authentication accepting tokens declaring unknown key header parameters, which could lead to polic...
PT-2025-38752
Name of the Vulnerable Software and Affected Versions Authlib versions prior to 1.6.4 Description Authlib’s JWS verification improperly handles tokens declaring unknown critical header parameters crit, violating RFC 7515 specifications. An attacker can create a signed token with a critical header...
PT-2025-54492
Name of the Vulnerable Software and Affected Versions Authlib versions 1.6.5 and prior Description Authlib is a Python library used for building OAuth and OpenID Connect servers. A flaw exists in cache-backed state/request-token storage where it is not linked to the user session. This allows for...
GHSA-5357-C2JX-V7QH Authlib has algorithm confusion with asymmetric public keys
lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. This is similar to CVE-2022-29217 and CVE-2024-33663...
aad-fastapi (>=1.0.0 <=1.1.2), aad-fastapi-dl37 (>=1.0.0 <=1.0.3) +131 more potentially affected by CVE-2024-37568 via authlib (>=0.10.0 <=1.3.0)
authlib PYPI version =0.10.0, =1.0.0, =1.0.0, =0.0.1, =1.0.2, =1.0.2, =1.2.0, =0.0.1, =0.1.0, =1.0.3, =2.0.0, =0.0.59, =0.5.0, =1.6.1, =4.2.0.43, =0.1.0, =0.3.0 and more Source cves: CVE-2024-37568 Source advisory: OSV:GHSA-5357-C2JX-V7QH...
UBUNTU-CVE-2024-37568
lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. This is similar to CVE-2022-29217 and CVE-2024-33663...
aad-fastapi (>=1.0.0 <=1.1.2), aad-fastapi-dl37 (>=1.0.0 <=1.0.3) +131 more potentially affected by CVE-2024-37568 via authlib (>=0.10.0 <=1.3.0)
authlib PYPI version =0.10.0, =1.0.0, =1.0.0, =0.0.1, =1.0.2, =1.0.2, =1.2.0, =0.0.1, =0.1.0, =1.0.3, =2.0.0, =0.0.59, =0.5.0, =1.6.1, =4.2.0.43, =0.1.0, =0.3.0 and more Source cves: CVE-2024-37568 Source advisory: OSV:PYSEC-2024-52...