Search for packages
| purl | pkg:pypi/authlib@0.2.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4wgd-2mpe-tyh3
Aliases: CVE-2026-28498 GHSA-m344-f55w-2m6j |
authlib: Authlib: Authentication bypass via forged OpenID Connect ID Tokens |
Affected by 2 other vulnerabilities. |
|
VCID-f8jg-a3bd-x7ax
Aliases: CVE-2025-59420 GHSA-9ggr-2464-2j32 |
Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass) Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (`crit`), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header (for example, `bork` or `cnf`) that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation. |
Affected by 8 other vulnerabilities. |
|
VCID-hrf7-xz6n-efcg
Aliases: CVE-2026-41425 GHSA-jj8c-mmj3-mmgv PYSEC-2026-25 |
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11. |
Affected by 1 other vulnerability. |
|
VCID-pt7d-e6h5-kbd2
Aliases: CVE-2026-28490 GHSA-7432-952r-cw78 |
authlib: Authlib: Information disclosure due to cryptographic padding oracle in JWE RSA1_5 |
Affected by 2 other vulnerabilities. |
|
VCID-sk4t-73s6-rqg9
Aliases: CVE-2026-44681 GHSA-r95x-qfjj-fjj2 PYSEC-2026-188 |
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-sp9r-m79r-ryd5
Aliases: CVE-2025-62706 GHSA-g7f3-828f-7h7m |
Authlib : JWE zip=DEF decompression bomb enables DoS _Authlib’s JWE `zip=DEF` path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable tokens to exhaust memory and CPU and cause denial of service._ |
Affected by 7 other vulnerabilities. |
|
VCID-tk6q-528z-rye4
Aliases: CVE-2024-37568 GHSA-5357-c2jx-v7qh PYSEC-2024-52 |
lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.) |
Affected by 9 other vulnerabilities. |
|
VCID-vjhy-tvsd-gbfm
Aliases: CVE-2025-61920 GHSA-pq5p-34cr-23v9 |
Authlib is vulnerable to Denial of Service via Oversized JOSE Segments **Summary** Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes. During verification, Authlib decodes and parses the full input before it is rejected, driving CPU and memory consumption to hostile levels and enabling denial of service. **Impact** - Attack vector: unauthenticated network attacker submits a malicious JWS/JWT. - Effect: base64 decode + JSON/crypto processing of huge buffers pegs CPU and allocates large amounts of RAM; a single request can exhaust service capacity. - Observed behaviour: on a test host, the legacy code verified a 500 MB header, consuming ~4 GB RSS and ~9 s CPU before failing. - Severity: High. CVSS v3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5). Affected Versions Authlib ≤ 1.6.3 (and earlier) when verifying JWS/JWT tokens. Later snapshots with 256 KB header/signature limits are not affected. **Proof of concept** |
Affected by 7 other vulnerabilities. |
|
VCID-zafh-nuvx-6fch
Aliases: CVE-2026-27962 GHSA-wvwj-cvrp-7pv5 |
authlib: Authlib: Authentication bypass due to JWK Header Injection vulnerability |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||