CVE-2025-61920

creationtimestamp| type| source ---|---|--- 2025-10-10 02:28:44+00:00| published-proof-of-concept| https://github.com/authlib/authlib/security/advisories/GHSA-pq5p-34cr-23v9...

PT-2025-41596

Name of the Vulnerable Software and Affected Versions Authlib versions prior to 1.6.5 Description Authlib, a Python library for building OAuth and OpenID Connect servers, has an issue in its JOSE implementation. It accepts JWS/JWT header and signature segments without size limits. An attacker can...

Authlib 安全漏洞

Authlib is the ultimate Python library for building OAuth and OpenID Connect servers open-sourced by Authlib. A security vulnerability exists in Authlib versions prior to 1.6.5 that stems from the JOSE implementation accepting unlimited JWS/JWT headers and signature segments, which could lead to ...

EUVD-2021-15057

Malware in sbrugna...

EUVD-2008-2375

Malware in sbrugna...

EUVD-2021-30682

Malicious code in bioql PyPI...

EUVD-2025-30790

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2025-59420

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib's JWS verification accepts tokens that declare unknow...

DEBIAN-CVE-2025-59420

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical...

CVE-2025-59420

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical...

UBUNTU-CVE-2025-59420

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical...

CVE-2025-59420 Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical...

CVE-2025-59420

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical...

CVE-2025-59420 Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical...

CVE-2025-59420

Authlib (Python) prior to 1.6.4 verifies JWS tokens with unknown critical header parameters (crit), violating RFC 7515 must-understand semantics. An attacker could craft a signed token that strict verifiers reject but Authlib accepts, enabling policy bypass, replay, or privilege escalation in mix...

CVE-2025-59420 Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical...

GHSA-9GGR-2464-2J32 Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)

Summary Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header for example, bork or cnf that strict verifiers reject but Authlib accepts. In...

aad-fastapi (>=1.0.0 <=1.1.2), aad-fastapi-dl37 (>=1.0.0 <=1.0.3) +262 more potentially affected by CVE-2025-59420 via authlib (>=0.10.0 <=1.6.3)

authlib PYPI version =0.10.0, =1.0.0, =1.0.0, =0.0.1, =1.0.2, =1.0.2, =1.2.0a20250730, =1.1.0, =1.2.0a20250730, =0.4.0, =0.1.0, =0.1.0a1, =1.2.0, =1.2.0a20250730, =1.2.0a20250730, =1.2.0a20250730, =1.2.0rc4 and more Source cves: CVE-2025-59420 Source advisory: OSV:GHSA-9GGR-2464-2J32...

aad-fastapi-dl37 (>=1.0.0 <=1.0.2), agentiq (>=1.2.0a20250730 <=1.2.0rc4) +203 more potentially affected by CVE-2025-59420 via authlib (>=1.0.0 <=1.6.3)

authlib PYPI version =1.0.0, =1.0.0, =1.2.0a20250730, =1.1.0, =1.2.0a20250730, =0.4.0, =0.1.0, =0.1.0a1, =1.2.0, =1.2.0a20250730, =1.2.0a20250730, =1.2.0a20250730, =1.2.0, =1.2.0a20250730, =1.2.0a20250730, =1.2.0a20250730, =1.2.0rc4 and more Source cves: CVE-2025-59420 Source advisory:...

Incorrect Authorization

Overview authlib is a library in building OAuth and OpenID Connect servers. Affected versions of this package are vulnerable to Incorrect Authorization via the deserializecompact function. An attacker can bypass intended authorization policies by crafting a signed token with unknown critical head...