CVE-2025-61920

Home/CVE/Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE impl

CVE

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE impl

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes.

During verification, Authlib decodes and parses the full input before it is rejected, driving CPU and memory consumption to hostile levels and enabling denial of service. Version 1.6.5 patches the issue. Some temporary workarounds are available.

Enforce input size limits before handing tokens to Authlib and/or use application-level throttling to reduce amplification risk.

HIGH · CVSS 7.5 EPSS 0.00424

Act now

Public exploit or PoC is available
CVSS base score ≥ 7.0

Sigma rules0 YARA rules0

⬡

Weakness Classification

CWE-20Improper Input Validation
CWE-400Uncontrolled Resource Consumption
CWE-770Allocation of Resources Without Limits or Throttling

▤

Affected Products & Versions

authlib< 1.6.5

▤

Affected Packages

Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.

PyPI authlib HIGH fixed in 1.6.5

⚠

Public Exploits & PoCs

pocgithub.com · GHSA-pq5p-34cr-23v9github.com

▣

Scoring & Timeline

7.5

HIGH · CVSS v3.1 · security-advisories@github.com

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD10 Oct 2025 · 08:15 PM

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC triage · cisa-vulnrichment

Exploitation

none

Automatable

Technical impact

partial

SSVC asks the questions that actually drive patch urgency: is it being exploited, can attacks be automated, and how total is the impact.

⚑

Vendor Advisories

usnUSN-8065-1
rhsaRHSA-2026:4215Important
rhsaRHSA-2025:23064Important
rhsaRHSA-2025:23061Important
rhsaRHSA-2025:23060Important
Show all 12 vendor advisoriesrhsaRHSA-2025:23059Important
rhsaRHSA-2025:23176Important
rhsaRHSA-2025:23028Important
suse-csafSUSE-SU-2025:3754-1
suse-csafopenSUSE-SU-2025:15629-1
rhsaRHSA-2025:22287Important
rhsaRHSA-2025:22182Important

🔗

References & Sources

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

https://github.com/authlib/authlib/commit/867e3f87b072347a1ae9cf6983cc8bbf88447e5ePatch

https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin