CVE-2025-59420

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical...

CVE-2025-59420 Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical...

CVE-2025-59420 Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical...

CVE-2025-59420

Authlib (Python) prior to 1.6.4 verifies JWS tokens with unknown critical header parameters (crit), violating RFC 7515 must-understand semantics. An attacker could craft a signed token that strict verifiers reject but Authlib accepts, enabling policy bypass, replay, or privilege escalation in mix...

GHSA-9GGR-2464-2J32 Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)

Summary Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header for example, bork or cnf that strict verifiers reject but Authlib accepts. In...

aad-fastapi (>=1.0.0 <=1.1.2), aad-fastapi-dl37 (>=1.0.0 <=1.0.3) +266 more potentially affected by CVE-2025-59420 via authlib (>=0.10.0 <=1.6.3)

authlib PYPI version =0.10.0, =1.0.0, =1.0.0, =0.0.1, =1.0.2, =1.0.2, =1.2.0a20250730, =1.1.0, =1.2.0a20250730, =0.4.0, =0.1.0, =0.1.0a1, =1.2.0, =1.2.0a20250730, =1.2.0a20250730, =1.2.0a20250730, =1.2.0rc4 and more Source cves: CVE-2025-59420 Source advisory: OSV:GHSA-9GGR-2464-2J32...

Incorrect Authorization

Overview authlib is a library in building OAuth and OpenID Connect servers. Affected versions of this package are vulnerable to Incorrect Authorization via the deserializecompact function. An attacker can bypass intended authorization policies by crafting a signed token with unknown critical head...

aad-fastapi-dl37 (>=1.0.0 <=1.0.2), agentiq (>=1.2.0a20250730 <=1.2.0rc4) +207 more potentially affected by CVE-2025-59420 via authlib (>=1.0.0 <=1.6.3)

authlib PYPI version =1.0.0, =1.0.0, =1.2.0a20250730, =1.1.0, =1.2.0a20250730, =0.4.0, =0.1.0, =0.1.0a1, =1.2.0, =1.2.0a20250730, =1.2.0a20250730, =1.2.0a20250730, =1.2.0, =1.2.0a20250730, =1.2.0a20250730, =1.2.0a20250730, =1.2.0rc4 and more Source cves: CVE-2025-59420 Source advisory:...

Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)

Summary Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header for example, bork or cnf that strict verifiers reject but Authlib accepts. In...

Authlib 安全漏洞

Authlib is the ultimate Python library for building OAuth and OpenID Connect servers open-sourced by Authlib. A security vulnerability exists in Authlib versions prior to 1.6.4, which stems from JWS authentication accepting tokens declaring unknown key header parameters, which could lead to polic...

PT-2025-38752

Name of the Vulnerable Software and Affected Versions Authlib versions prior to 1.6.4 Description Authlib’s JWS verification improperly handles tokens declaring unknown critical header parameters crit, violating RFC 7515 specifications. An attacker can create a signed token with a critical header...

Linux Distros Unpatched Vulnerability : CVE-2021-28374

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The Debian courier-authlib package before 0.71.1-2 for Courier Authentication Library creates a /run/courier/authdaemon directory with weak permissions, allowin...

TencentOS Server 4: python-authlib (TSSA-2024:1134)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2024:1134 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...

CVE-2021-43777

Redash is a package for data visualization and sharing. In Redash version 10.0 and prior, the implementation of Google Login via OAuth incorrectly uses the state parameter to pass the next URL to redirect the user to after login. The state parameter should be used for a Cross-Site Request Forgery...

Linux Distros Unpatched Vulnerability : CVE-2024-37568

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is...

PT-2025-54492

Name of the Vulnerable Software and Affected Versions Authlib versions 1.6.5 and prior Description Authlib is a Python library used for building OAuth and OpenID Connect servers. A flaw exists in cache-backed state/request-token storage where it is not linked to the user session. This allows for...

Security Bulletin: authlib-cve202437568-sec-bypass

Summary Authlib security bypass Vulnerability Details CVEID:CVE-2024-37568 DESCRIPTION: Authlib could allow a remote attacker to bypass security restrictions, caused by an algorithm confusion with asymmetric public keys. By sending a specially crafted request, an attacker could exploit this...

Mageia: Security Advisory (MGASA-2024-0238)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Updated python-authlib packages fix security vulnerability

Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. This is similar to CVE-2022-29217 and CVE-2024-33663...

Fedora: Security Advisory (FEDORA-2024-2e9c58d661)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...