CVE-2025-59420Insufficient Verification of Data Authenticity in Authlib

CWE-345Insufficient Verification of Data AuthenticityCWE-863Incorrect AuthorizationCWE-636Failing OpenCWE-440Expected Behavior Violation12 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 98.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
AuthlibPyjwt Project PyjwtDebian Python-authlib+1 more
Timeline
PublishedSep 22
Latest updateApr 3

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header (for example, bork or cnf) that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege es

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

debiandebian/python-authlib< python-authlib 0.15.4-1+deb11u1 (bullseye)
NVDauthlib/authlib< 1.6.4
PyPIauthlib/authlib< 1.6.4
PyPIpyjwt_project/pyjwt< 2.12.0

Patches

Patch: github.com

🔴Vulnerability Details

8
GHSA
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation)2026-04-03
OSV
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation)2026-04-03
GHSA
PyJWT accepts unknown `crit` header extensions2026-03-13
OSV
PyJWT accepts unknown `crit` header extensions2026-03-13
OSV
python-authlib vulnerabilities2026-02-25

📋Vendor Advisories

3
Ubuntu
Authlib vulnerabilities2026-02-25
Red Hat
authlib: Authlib RFC violation2025-09-22
Debian
CVE-2025-59420: python-authlib - Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior...2025