Al-Cybision

**Name of the Vulnerable Software and Affected Versions** Authlib versions prior to 1.6.5 **Description** Authlib, a Python library for building OAuth and OpenID Connect servers, has an issue in its JOSE implementation. It accepts JWS/JWT header and signature segments without size limits. An attacker can create a token with a very large base64url-encoded header or signature, potentially consuming excessive CPU and memory resources, leading to a denial of service. The library decodes and parses the entire input before rejecting it. **Recommendations** Update to Authlib version 1.6.5 or later. Enforce input size limits before passing tokens to Authlib. Implement application-level throttling to reduce amplification risk.

**Name of the Vulnerable Software and Affected Versions** Authlib versions prior to 1.6.4 **Description** Authlib’s JWS verification improperly handles tokens declaring unknown critical header parameters (`crit`), violating RFC 7515 specifications. An attacker can create a signed token with a critical header (for example, `bork` or `cnf`) that strict verifiers would reject, but Authlib accepts. This can lead to split-brain verification, policy bypass, replay attacks, or privilege escalation in environments with mixed-language fleets. The issue occurs because Authlib does not enforce the “must-understand” semantics defined for the `crit` parameter in RFC 7515. The `deserialize compact()` API endpoint is affected. The `crit` parameter is a list of critical header parameters that a recipient must understand and enforce. When a token includes a `crit` parameter with an unknown name, strict verifiers reject the token, while Authlib accepts it. This discrepancy can be exploited in heterogeneous environments where some components are strict and others are lenient. **Recommendations** Update Authlib to version 1.6.4 or later.