CVE-2025-62706 — Uncontrolled Resource Consumption in Authlib

CWE-400 — Uncontrolled Resource Consumption CWE-770 — Allocation of Resources Without Limits or Throttling8 documents6 sources

Severity

6.5MEDIUMNVD

OSV7.5

EPSS

0.1%

top 67.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Authlib Debian Python-authlib

Timeline

PublishedOct 22

Latest updateFeb 25

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable tokens to exhaust memory and CPU and cause denial of service. This issue has been patched in version 1.6.5. Workarounds for this issue involve rejecting or stripping zip=DEF for inbound JWEs at the appl…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/python-authlib< python-authlib 0.15.4-1+deb11u1 (bullseye)

▶NVDauthlib/authlib< 1.6.5

▶PyPIauthlib/authlib< 1.6.5

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

python-authlib vulnerabilities↗2026-02-25

▶

OSV

CVE-2025-62706: Authlib is a Python library which builds OAuth and OpenID Connect servers↗2025-10-22

▶

GHSA

Authlib : JWE zip=DEF decompression bomb enables DoS↗2025-10-10

▶

OSV

Authlib : JWE zip=DEF decompression bomb enables DoS↗2025-10-10

▶

📋Vendor Advisories

Ubuntu

Authlib vulnerabilities↗2026-02-25

▶

Red Hat

authlib: Authlib : JWE zip=DEF decompression bomb enables DoS↗2025-10-22

▶

Debian

CVE-2025-62706: python-authlib - Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior...↗2025

▶