CVE-2025-61920Improper Input Validation in Authlib

CWE-20Improper Input ValidationCWE-400Uncontrolled Resource ConsumptionCWE-770Allocation of Resources Without Limits or Throttling8 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.5%
top 34.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
AuthlibDebian Python-authlib
Timeline
PublishedOct 10
Latest updateFeb 25

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes. During verification, Authlib decodes and parses the full input before it is rejected, driving CPU and memory consumption to hostile levels and enabling denial of service. Version 1.6.5 patches the issue. S

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

debiandebian/python-authlib< python-authlib 0.15.4-1+deb11u1 (bullseye)
NVDauthlib/authlib< 1.6.5
PyPIauthlib/authlib< 1.6.5

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
python-authlib vulnerabilities2026-02-25
GHSA
Authlib is vulnerable to Denial of Service via Oversized JOSE Segments2025-10-10
OSV
Authlib is vulnerable to Denial of Service via Oversized JOSE Segments2025-10-10
OSV
CVE-2025-61920: Authlib is a Python library which builds OAuth and OpenID Connect servers2025-10-10

📋Vendor Advisories

3
Ubuntu
Authlib vulnerabilities2026-02-25
Red Hat
authlib: Authlib Denial of Service2025-10-10
Debian
CVE-2025-61920: python-authlib - Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior...2025