Lookup for vulnerable packages by Package URL.
| Purl | pkg:pypi/authlib@1.6.5 |
|---|
| Type | pypi |
|---|
| Namespace | |
|---|
| Name | authlib |
|---|
| Version | 1.6.5 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 1.6.11 |
|---|
| Latest_non_vulnerable_version | 1.6.11 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-hrf7-xz6n-efcg |
| vulnerability_id |
VCID-hrf7-xz6n-efcg |
| summary |
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-41425, GHSA-jj8c-mmj3-mmgv, PYSEC-2026-25
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hrf7-xz6n-efcg |
|
| 1 |
| url |
VCID-z4uj-gecb-1ucd |
| vulnerability_id |
VCID-z4uj-gecb-1ucd |
| summary |
Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification
After upgrading the library from 1.5.2 to 1.6.0 (and the latest 1.6.5) it was noticed that previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-28802, GHSA-7wc2-qxgw-g8gg
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-z4uj-gecb-1ucd |
|
|
|---|
| Fixing_vulnerabilities |
| 0 |
| url |
VCID-sp9r-m79r-ryd5 |
| vulnerability_id |
VCID-sp9r-m79r-ryd5 |
| summary |
Authlib : JWE zip=DEF decompression bomb enables DoS
_Authlib’s JWE `zip=DEF` path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable tokens to exhaust memory and CPU and cause denial of service._ |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-62706, GHSA-g7f3-828f-7h7m
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sp9r-m79r-ryd5 |
|
| 1 |
| url |
VCID-vjhy-tvsd-gbfm |
| vulnerability_id |
VCID-vjhy-tvsd-gbfm |
| summary |
Authlib is vulnerable to Denial of Service via Oversized JOSE Segments
**Summary**
Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes. During verification, Authlib decodes and parses the full input before it is rejected, driving CPU and memory consumption to hostile levels and enabling denial of service.
**Impact**
- Attack vector: unauthenticated network attacker submits a malicious JWS/JWT.
- Effect: base64 decode + JSON/crypto processing of huge buffers pegs CPU and allocates large amounts of RAM; a single request can exhaust service capacity.
- Observed behaviour: on a test host, the legacy code verified a 500 MB header, consuming ~4 GB RSS and ~9 s CPU before failing.
- Severity: High. CVSS v3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5).
Affected Versions
Authlib ≤ 1.6.3 (and earlier) when verifying JWS/JWT tokens. Later snapshots with 256 KB header/signature limits are not affected.
**Proof of concept** |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-61920, GHSA-pq5p-34cr-23v9
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vjhy-tvsd-gbfm |
|
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:pypi/authlib@1.6.5 |
|---|