{"url":"http://public2.vulnerablecode.io/api/packages/124695?format=json","purl":"pkg:deb/debian/python-authlib@1.6.5-1?distro=trixie","type":"deb","namespace":"debian","name":"python-authlib","version":"1.6.5-1","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"1.6.6-1","latest_non_vulnerable_version":"1.7.2-1","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47990?format=json","vulnerability_id":"VCID-sp9r-m79r-ryd5","summary":"Authlib : JWE zip=DEF decompression bomb enables DoS\n_Authlib’s JWE `zip=DEF` path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable tokens to exhaust memory and CPU and cause denial of service._","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-62706.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-62706.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62706","reference_id":"","reference_type":"","scores":[{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.3334","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33374","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33389","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33353","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33319","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62706"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-62706","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-62706"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/authlib/authlib","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/authlib/authlib"},{"reference_url":"https://github.com/authlib/authlib/commit/e0863d5129316b1790eee5f14cece32a03b8184d","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/authlib/authlib/commit/e0863d5129316b1790eee5f14cece32a03b8184d"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2405946","reference_id":"2405946","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2405946"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62706","reference_id":"CVE-2025-62706","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62706"},{"reference_url":"https://github.com/advisories/GHSA-g7f3-828f-7h7m","reference_id":"GHSA-g7f3-828f-7h7m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g7f3-828f-7h7m"},{"reference_url":"https://github.com/authlib/authlib/security/advisories/GHSA-g7f3-828f-7h7m","reference_id":"GHSA-g7f3-828f-7h7m","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/authlib/authlib/security/advisories/GHSA-g7f3-828f-7h7m"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:0629","reference_id":"RHSA-2026:0629","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:0629"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:1596","reference_id":"RHSA-2026:1596","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:1596"},{"reference_url":"https://usn.ubuntu.com/8065-1/","reference_id":"USN-8065-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8065-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/124689?format=json","purl":"pkg:deb/debian/python-authlib@0.15.4-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pguz-hqre-77ac"},{"vulnerability":"VCID-sk4t-73s6-rqg9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-authlib@0.15.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/124690?format=json","purl":"pkg:deb/debian/python-authlib@0.15.4-1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-authlib@0.15.4-1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/124688?format=json","purl":"pkg:deb/debian/python-authlib@1.2.0-1%2Bdeb12u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4wgd-2mpe-tyh3"},{"vulnerability":"VCID-hrf7-xz6n-efcg"},{"vulnerability":"VCID-pt7d-e6h5-kbd2"},{"vulnerability":"VCID-sk4t-73s6-rqg9"},{"vulnerability":"VCID-zafh-nuvx-6fch"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-authlib@1.2.0-1%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/124693?format=json","purl":"pkg:deb/debian/python-authlib@1.6.0-1%2Bdeb13u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4wgd-2mpe-tyh3"},{"vulnerability":"VCID-hrf7-xz6n-efcg"},{"vulnerability":"VCID-pt7d-e6h5-kbd2"},{"vulnerability":"VCID-sk4t-73s6-rqg9"},{"vulnerability":"VCID-z4uj-gecb-1ucd"},{"vulnerability":"VCID-zafh-nuvx-6fch"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-authlib@1.6.0-1%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/124695?format=json","purl":"pkg:deb/debian/python-authlib@1.6.5-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-authlib@1.6.5-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/124691?format=json","purl":"pkg:deb/debian/python-authlib@1.7.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-authlib@1.7.2-1%3Fdistro=trixie"}],"aliases":["CVE-2025-62706","GHSA-g7f3-828f-7h7m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sp9r-m79r-ryd5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47991?format=json","vulnerability_id":"VCID-vjhy-tvsd-gbfm","summary":"Authlib is vulnerable to Denial of Service via Oversized JOSE Segments\n**Summary**\nAuthlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes. During verification, Authlib decodes and parses the full input before it is rejected, driving CPU and memory consumption to hostile levels and enabling denial of service.\n\n**Impact**\n\n- Attack vector: unauthenticated network attacker submits a malicious JWS/JWT.\n\n- Effect: base64 decode + JSON/crypto processing of huge buffers pegs CPU and allocates large amounts of RAM; a single request can exhaust service capacity.\n\n- Observed behaviour: on a test host, the legacy code verified a 500 MB header, consuming ~4 GB RSS and ~9 s CPU before failing.\n\n- Severity: High. CVSS v3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5).\n\nAffected Versions\nAuthlib ≤ 1.6.3 (and earlier) when verifying JWS/JWT tokens. Later snapshots with 256 KB header/signature limits are not affected.\n\n**Proof of concept**","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61920.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61920.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-61920","reference_id":"","reference_type":"","scores":[{"value":"0.00424","scoring_system":"epss","scoring_elements":"0.6255","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00424","scoring_system":"epss","scoring_elements":"0.62565","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00424","scoring_system":"epss","scoring_elements":"0.62573","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00424","scoring_system":"epss","scoring_elements":"0.62564","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-61920"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61920","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61920"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/authlib/authlib","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/authlib/authlib"},{"reference_url":"https://github.com/authlib/authlib/commit/867e3f87b072347a1ae9cf6983cc8bbf88447e5e","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:46:55Z/"}],"url":"https://github.com/authlib/authlib/commit/867e3f87b072347a1ae9cf6983cc8bbf88447e5e"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2403179","reference_id":"2403179","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2403179"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61920","reference_id":"CVE-2025-61920","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61920"},{"reference_url":"https://github.com/advisories/GHSA-pq5p-34cr-23v9","reference_id":"GHSA-pq5p-34cr-23v9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pq5p-34cr-23v9"},{"reference_url":"https://github.com/authlib/authlib/security/advisories/GHSA-pq5p-34cr-23v9","reference_id":"GHSA-pq5p-34cr-23v9","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:46:55Z/"}],"url":"https://github.com/authlib/authlib/security/advisories/GHSA-pq5p-34cr-23v9"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22182","reference_id":"RHSA-2025:22182","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22182"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:22287","reference_id":"RHSA-2025:22287","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:22287"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23028","reference_id":"RHSA-2025:23028","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23028"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23059","reference_id":"RHSA-2025:23059","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23059"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23060","reference_id":"RHSA-2025:23060","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23060"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23061","reference_id":"RHSA-2025:23061","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23061"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23064","reference_id":"RHSA-2025:23064","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23064"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:23176","reference_id":"RHSA-2025:23176","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:23176"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:4215","reference_id":"RHSA-2026:4215","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:4215"},{"reference_url":"https://usn.ubuntu.com/8065-1/","reference_id":"USN-8065-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8065-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/124689?format=json","purl":"pkg:deb/debian/python-authlib@0.15.4-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pguz-hqre-77ac"},{"vulnerability":"VCID-sk4t-73s6-rqg9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-authlib@0.15.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/124690?format=json","purl":"pkg:deb/debian/python-authlib@0.15.4-1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-authlib@0.15.4-1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/124688?format=json","purl":"pkg:deb/debian/python-authlib@1.2.0-1%2Bdeb12u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4wgd-2mpe-tyh3"},{"vulnerability":"VCID-hrf7-xz6n-efcg"},{"vulnerability":"VCID-pt7d-e6h5-kbd2"},{"vulnerability":"VCID-sk4t-73s6-rqg9"},{"vulnerability":"VCID-zafh-nuvx-6fch"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-authlib@1.2.0-1%252Bdeb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/124693?format=json","purl":"pkg:deb/debian/python-authlib@1.6.0-1%2Bdeb13u1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4wgd-2mpe-tyh3"},{"vulnerability":"VCID-hrf7-xz6n-efcg"},{"vulnerability":"VCID-pt7d-e6h5-kbd2"},{"vulnerability":"VCID-sk4t-73s6-rqg9"},{"vulnerability":"VCID-z4uj-gecb-1ucd"},{"vulnerability":"VCID-zafh-nuvx-6fch"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-authlib@1.6.0-1%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/124695?format=json","purl":"pkg:deb/debian/python-authlib@1.6.5-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-authlib@1.6.5-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/124691?format=json","purl":"pkg:deb/debian/python-authlib@1.7.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-authlib@1.7.2-1%3Fdistro=trixie"}],"aliases":["CVE-2025-61920","GHSA-pq5p-34cr-23v9"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vjhy-tvsd-gbfm"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-authlib@1.6.5-1%3Fdistro=trixie"}