CVE-2025-61920— Authlib is vulnerable to Denial of Service via Oversized JOSE Segments
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-61920
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Authlib is vulnerable to Denial of Service via Oversized JOSE Segments
Source: NVD (National Vulnerability Database)
Vulnerability Description
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes. During verification, Authlib decodes and parses the full input before it is rejected, driving CPU and memory consumption to hostile levels and enabling denial of service. Version 1.6.5 patches the issue. Some temporary workarounds are available. Enforce input size limits before handing tokens to Authlib and/or use application-level throttling to reduce amplification risk.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Authlib 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Authlib是Authlib开源的一个构建 OAuth 和 OpenID Connect 服务器的终极 Python 库。 Authlib 1.6.5之前版本存在安全漏洞,该漏洞源于JOSE实现接受无限制的JWS/JWT标头和签名段,可能导致拒绝服务攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-61920
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-61920
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: authlib
- CVE-2026-41425
Authlib: Cross-site request forging when using cache - CVE-2026-28498
Authlib: Fail-Open Cryptographic Verification in OIDC Hash B - CVE-2026-28490
Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Orac - CVE-2026-27962
Authlib JWS JWK Header Injection: Signature Verification Byp - CVE-2026-28802
Authlib: Setting `alg: none` and a blank signature appears t
Same vendor: authlib
- CVE-2026-41425
Authlib: Cross-site request forging when using cache - CVE-2026-28498
Authlib: Fail-Open Cryptographic Verification in OIDC Hash B - CVE-2026-28490
Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Orac - CVE-2026-27962
Authlib JWS JWK Header Injection: Signature Verification Byp - CVE-2026-28802
Authlib: Setting `alg: none` and a blank signature appears t
Same weakness: CWE-20
V. Comments for CVE-2025-61920
No comments yet