GHSA-9GGR-2464-2J32 Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)
Summary Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header for example, bork or cnf that strict verifiers reject but Authlib accepts. In...