Lucene search
+L

35 matches found

Debian CVE
Debian CVE
added 2026/03/06 6:44 a.m.6 views

CVE-2026-28802

Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application co...

9.8CVSS8.3AI score0.00425EPSS
Exploits1
Snyk
Snyk
added 2026/03/04 8:55 p.m.4 views

Improper Verification of Cryptographic Signature

Overview authlib is a library in building OAuth and OpenID Connect servers. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in jwt.decode, which accepts alg: none. An attacker can gain unauthorized access, escalate privileges, or modify...

9.8CVSS5.8AI score0.00425EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/03/03 12:0 a.m.8 views

joserfc 安全漏洞

Joserfc is a Python library developed by Authlib. Joserfc versions 1.6.2 and earlier have security vulnerabilities. These vulnerabilities stem from the lack of verification or restrictions on the p2c parameter value in the JWE token. This allows unverified attackers to cause denial-of-service...

7.5CVSS5.8AI score0.00432EPSS
Exploits2References3
UbuntuCve
UbuntuCve
added 2026/01/08 6:15 p.m.5 views

CVE-2025-68158

Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state easily obtainable via an attacker-initiated...

8.8CVSS5.7AI score0.00237EPSS
Exploits1References5
Tenable Nessus
Tenable Nessus
added 2026/01/08 12:0 a.m.5 views

Linux Distros Unpatched Vulnerability : CVE-2025-68158

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied...

8.8CVSS5.8AI score0.00237EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/01/01 12:0 a.m.11 views

PT-2026-25780

Name of the Vulnerable Software and Affected Versions Authlib versions prior to 1.6.9 Description Authlib, a Python library for building OAuth and OpenID Connect servers, contains a cryptographic padding oracle vulnerability in the implementation of the JSON Web Encryption JWE RSA1 5 key manageme...

9.1CVSS5.8AI score0.00548EPSS
Exploits2References37
Positive Technologies
Positive Technologies
added 2026/01/01 12:0 a.m.14 views

PT-2026-25779

Name of the Vulnerable Software and Affected Versions Authlib versions prior to 1.6.9 Description Authlib is a Python library used for building OAuth and OpenID Connect servers. A JWK Header Injection flaw exists in the library's JWS implementation, allowing an unauthenticated attacker to forge...

9.4CVSS6AI score0.00548EPSS
Exploits1References51
NVD
NVD
added 2025/10/22 10:15 p.m.7 views

CVE-2025-62706

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable...

6.5CVSS0.00418EPSS
Exploits1References3
CVE
CVE
added 2025/10/22 9:31 p.m.61 views

CVE-2025-62706

Authlib’s CVE-2025-62706 affects the JWE zip=DEF decompression path in prior releases. A small ciphertext could inflate to tens/hundreds of MB during decrypt, enabling DoS via memory and CPU exhaustion. A fix exists in v1.6.5; mitigations include rejecting or stripping zip=DEF for inbound JWEs, a...

6.5CVSS6.5AI score0.00418EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2025/10/10 10:54 p.m.13 views

GHSA-G7F3-828F-7H7M Authlib : JWE zip=DEF decompression bomb enables DoS

Summary Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable tokens to exhaust memory and CPU and cause denial of service. Details - Affected component...

6.5CVSS7.1AI score0.00418EPSS
Exploits1References5
EUVD
EUVD
added 2025/10/10 7:25 p.m.5 views

EUVD-2025-33768

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes...

7.5CVSS6.5AI score0.00596EPSS
Exploits1References2
Tenable Nessus
Tenable Nessus
added 2025/09/25 12:0 a.m.6 views

Linux Distros Unpatched Vulnerability : CVE-2025-59420

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib's JWS verification accepts tokens that declare unknow...

7.5CVSS5.4AI score0.00244EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2025/09/22 5:28 p.m.2 views

CVE-2025-59420 Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical...

7.5CVSS6.6AI score0.00244EPSS
Exploits1References2
OSV
OSV
added 2025/09/22 5:28 p.m.5 views

CVE-2025-59420 Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical...

7.5CVSS6.7AI score0.00244EPSS
Exploits1References5
Snyk
Snyk
added 2025/09/22 2:42 p.m.2 views

Incorrect Authorization

Overview authlib is a library in building OAuth and OpenID Connect servers. Affected versions of this package are vulnerable to Incorrect Authorization via the deserializecompact function. An attacker can bypass intended authorization policies by crafting a signed token with unknown critical head...

8.7CVSS6.8AI score0.00244EPSS
Exploits1References2
Rows per page
Query Builder