Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable tokens to exhaust memory and CPU and cause denial of service. This issue has been patched in version 1.6.5. Workarounds for this issue involve rejecting or stripping zip=DEF for inbound JWEs at the application boundary, forking and add a bounded decompression guard via decompressobj().decompress(data, MAX_SIZE)) and returning an error when output exceeds a safe limit, or enforcing strict maximum token sizes and fail fast on oversized inputs; combine with rate limiting.

INFO

Published Date :

2025-10-22T21:31:10.997Z

Last Modified :

2025-11-03T17:45:27.594Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-62706 vulnerability.

Vendors Products
Authlib
  • Authlib
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-62706.

URL Resource
https://github.com/authlib/authlib/commit/e0863d5129316b1790eee5f14cece32a03b8184d cve-icon cve-icon cve-icon
https://github.com/authlib/authlib/security/advisories/GHSA-g7f3-828f-7h7m cve-icon cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-62706 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-62706 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact