CVE-2025-61920

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Authlib versions prior to 1.6.5

Description Authlib, a Python library for building OAuth and OpenID Connect servers, has an issue in its JOSE implementation. It accepts JWS/JWT header and signature segments without size limits. An attacker can create a token with a very large base64url-encoded header or signature, potentially consuming excessive CPU and memory resources, leading to a denial of service. The library decodes and parses the entire input before rejecting it.

Recommendations Update to Authlib version 1.6.5 or later. Enforce input size limits before passing tokens to Authlib. Implement application-level throttling to reduce amplification risk.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Resource Exhaustion

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770CWE-400CWE-20

Related Identifiers

BDU:2026-03457

CVE-2025-61920

DLA-4352-1

GHSA-PQ5P-34CR-23V9

OPENSUSE-SU-2025:15629-1

SUSE-SU-2025:3754-1

USN-8065-1

Affected Products

Oauthlib

Debian

Linuxmint

Red Os

Ubuntu

CVE-2025-61920

Weakness Enumeration

Related Identifiers

Affected Products

References · 36