Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header (for example, bork or cnf) that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation. This issue has been patched in version 1.6.4.

INFO

Published Date :

2025-09-22T17:28:53.869Z

Last Modified :

2025-11-03T17:45:19.901Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-59420 vulnerability.

Vendors Products
Authlib
  • Authlib
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-59420.

URL Resource
https://github.com/authlib/authlib/commit/6b1813e4392eb7c168c276099ff7783b176479df cve-icon cve-icon cve-icon
https://github.com/authlib/authlib/security/advisories/GHSA-9ggr-2464-2j32 cve-icon cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-59420 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-59420 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact