CVE-2025-61920

CVSS v3.1

7.5

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Authlib versions prior to 1.6.5

Description Authlib, a Python library for building OAuth and OpenID Connect servers, has an issue in its JOSE implementation. It accepts JWS/JWT header and signature segments without size limits. An attacker can create a token with a very large base64url-encoded header or signature, potentially consuming excessive CPU and memory resources, leading to a denial of service. The library decodes and parses the entire input before rejecting it.

Recommendations Update to Authlib version 1.6.5 or later. Enforce input size limits before passing tokens to Authlib. Implement application-level throttling to reduce amplification risk.

Fix

DoS

Resource Exhaustion

RCE

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-20CWE-770

Related Identifiers

CVE-2025-61920

GHSA-PQ5P-34CR-23V9

SUSE-SU-2025:3754-1

Affected Products

Oauthlib

Debian

CVE-2025-61920

Weakness Enumeration

Related Identifiers

Affected Products

References · 22