Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes. During verification, Authlib decodes and parses the full input before it is rejected, driving CPU and memory consumption to hostile levels and enabling denial of service. Version 1.6.5 patches the issue. Some temporary workarounds are available. Enforce input size limits before handing tokens to Authlib and/or use application-level throttling to reduce amplification risk.

INFO

Published Date :

2025-10-10T19:25:07.679Z

Last Modified :

2025-11-03T17:45:23.708Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-61920 vulnerability.

Vendors Products
Authlib
  • Authlib
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-61920.

URL Resource
https://github.com/authlib/authlib/commit/867e3f87b072347a1ae9cf6983cc8bbf88447e5e cve-icon cve-icon cve-icon
https://github.com/authlib/authlib/security/advisories/GHSA-pq5p-34cr-23v9 cve-icon cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-61920 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-61920 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact