Lucene search
K

103 matches found

NVD
NVD
added 2026/03/16 6:16 p.m.4 views

CVE-2026-27962

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any...

9.1CVSS0.00548EPSS
Exploits1References10
OSV
OSV
added 2026/03/16 6:16 p.m.5 views

UBUNTU-CVE-2026-27962

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any...

9.1CVSS6AI score0.00548EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/03/16 5:34 p.m.4 views

CVE-2026-27962

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any...

9.1CVSS5.9AI score0.00548EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/03/16 5:34 p.m.3 views

CVE-2026-27962 Authlib JWS JWK Header Injection: Signature Verification Bypass

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any...

9.1CVSS6AI score0.00548EPSS
Exploits1References5
CVE
CVE
added 2026/03/16 5:34 p.m.115 views

CVE-2026-27962

Authlib JWS JWK Header Injection (CVE-2026-27962) is detailed in GHSA-wvwj-cvrp-7pv5: when key=None is passed to JWS deserialization, or a key resolver returns None, the library silently uses the attacker-supplied header.jwk as the verification key, allowing forgeable tokens and bypass of authent...

9.1CVSS5.9AI score0.00548EPSS
Exploits1References10Affected Software1
EUVD
EUVD
added 2026/03/16 3:17 p.m.3 views

EUVD-2026-12478

Authlib JWS JWK Header Injection: Signature Verification Bypass...

9.1CVSS5.8AI score0.00548EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/03/16 3:17 p.m.7 views

Authlib JWS JWK Header Injection: Signature Verification Bypass

Description Summary A JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic...

9.1CVSS6AI score0.00548EPSS
Exploits1References5Affected Software1
CNNVD
CNNVD
added 2026/03/16 12:0 a.m.8 views

Authlib 数据伪造问题漏洞

Authlib is an open-source library developed by Authlib, designed to build servers for OAuth and OpenID Connect. Versions of Authlib prior to 1.6.9 contained a data manipulation vulnerability, caused by header injection in the JWS implementation. This vulnerability could allow unauthenticated...

9.1CVSS7.2AI score0.00548EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/03/12 11:3 p.m.5 views

CVE-2026-32597

A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...

7.5CVSS5.6AI score0.00269EPSS
Exploits1References4
CNNVD
CNNVD
added 2026/03/12 12:0 a.m.7 views

pyjwt 安全漏洞

pyjwt is a Python library developed by José Padilla from the United States. It allows for the encoding and decoding of JSON Web Tokens JWTs. pyjwt has security vulnerabilities, stemming from the lack of validation for the crit header parameter. This vulnerability may allow the acceptance of JWS...

7.5CVSS6.7AI score0.00269EPSS
Exploits1References3
Tenable Nessus
Tenable Nessus
added 2026/03/02 12:0 a.m.5 views

Ubuntu 22.04 LTS / 24.04 LTS : Authlib vulnerabilities (USN-8065-1)

The remote Ubuntu 22.04 LTS / 24.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8065-1 advisory. Millie Solem discovered that Authlib did not properly restrict algorithm selection during JWT verification, allowing HMAC verification with...

8.8CVSS6AI score0.00596EPSS
Exploits5References6
Redos
Redos
added 2026/02/09 12:0 a.m.10 views

ROS-20260209-73-0033

A vulnerability in the JWE, JWS, JWT go-jose standards suite implementation package for the Go programming language is related to incorrect processing of highly compressed input data. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...

4.3CVSS5.6AI score0.01956EPSS
Exploits0
IBM Security Bulletins
IBM Security Bulletins
added 2026/02/05 8:23 p.m.10 views

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in jws-3.2.2.tgz

Summary IBM Watson Discovery Cartridge affected by vulnerability in jws-3.2.2.tgz Vulnerability Details CVEID:CVE-2025-65945 DESCRIPTION: auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature...

7.5CVSS5.4AI score0.002EPSS
Exploits1Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2025/12/22 11:27 a.m.12 views

Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to multiple node modules (CVE-2025-64718, CVE-2025-64756, CVE-2025-13466 & CVE-2025-65945)

Summary IBM App Connect Enterprise Connector Discovery and OpenAPI Editor, IBM App Connect Enterprise Discovery Connectors and IBM App Connect Enterprise runtime are vulnerable to multiple vulnerabilities due to node modules js-yaml, glob, body-parser and jws. Vulnerability Details...

7.5CVSS6.8AI score0.03092EPSS
Exploits2Affected Software1
CVE
CVE
added 2025/12/04 6:45 p.m.43 views

CVE-2025-65945

CVE-2025-65945 affects auth0/node-jws (Node.js). In affected versions (3.2.2 and earlier; 4.0.0) there is an improper HS256 signature verification under specific conditions when using jws.createVerify() with user-provided header/payload data in HMAC secret lookups. IBM bulletins corroborate the i...

7.5CVSS6.4AI score0.002EPSS
Exploits1References2Affected Software1
NVD
NVD
added 2025/10/10 8:15 p.m.7 views

CVE-2025-61920

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes...

7.5CVSS0.00596EPSS
Exploits1References3
OSV
OSV
added 2025/10/10 8:15 p.m.5 views

UBUNTU-CVE-2025-61920

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes...

7.5CVSS7.2AI score0.00596EPSS
Exploits1References6
OSV
OSV
added 2025/10/10 7:25 p.m.3 views

CVE-2025-61920 Authlib is vulnerable to Denial of Service via Oversized JOSE Segments

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes...

7.5CVSS6.7AI score0.00596EPSS
Exploits1References5
NVD
NVD
added 2025/09/22 6:15 p.m.4 views

CVE-2025-59420

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical...

7.5CVSS0.00244EPSS
Exploits1References3
OSV
OSV
added 2025/09/22 6:15 p.m.3 views

UBUNTU-CVE-2025-59420

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical...

7.5CVSS7AI score0.00244EPSS
Exploits1References5
Rows per page
Query Builder