Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-3ny1-u6w7-jqdz
Vulnerability ID VCID-3ny1-u6w7-jqdz
Aliases CVE-2025-59420
GHSA-9ggr-2464-2j32
Summary Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header (for example, bork or cnf) that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation. This issue has been patched in version 1.6.4.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-345 Insufficient Verification of Data Authenticity
CWE-863 Incorrect Authorization
CWE-440 Expected Behavior Violation
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59420.json
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2025-59420
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2025-59420
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2025-59420
cvssv3.1 7.5 https://github.com/authlib/authlib
generic_textual HIGH https://github.com/authlib/authlib
cvssv3.1 7.5 https://github.com/authlib/authlib/commit/6b1813e4392eb7c168c276099ff7783b176479df
generic_textual HIGH https://github.com/authlib/authlib/commit/6b1813e4392eb7c168c276099ff7783b176479df
ssvc Track https://github.com/authlib/authlib/commit/6b1813e4392eb7c168c276099ff7783b176479df
cvssv3.1 7.5 https://github.com/authlib/authlib/security/advisories/GHSA-9ggr-2464-2j32
generic_textual HIGH https://github.com/authlib/authlib/security/advisories/GHSA-9ggr-2464-2j32
ssvc Track https://github.com/authlib/authlib/security/advisories/GHSA-9ggr-2464-2j32
cvssv3.1 7.5 https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2025-59420
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2025-59420
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59420.json
https://api.first.org/data/v1/epss?cve=CVE-2025-59420
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59420
https://github.com/authlib/authlib
https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html
https://nvd.nist.gov/vuln/detail/CVE-2025-59420
2397460 https://bugzilla.redhat.com/show_bug.cgi?id=2397460
6b1813e4392eb7c168c276099ff7783b176479df https://github.com/authlib/authlib/commit/6b1813e4392eb7c168c276099ff7783b176479df
GHSA-9ggr-2464-2j32 https://github.com/authlib/authlib/security/advisories/GHSA-9ggr-2464-2j32
RHSA-2025:22182 https://access.redhat.com/errata/RHSA-2025:22182
RHSA-2025:22287 https://access.redhat.com/errata/RHSA-2025:22287
RHSA-2025:23028 https://access.redhat.com/errata/RHSA-2025:23028
RHSA-2025:23059 https://access.redhat.com/errata/RHSA-2025:23059
RHSA-2025:23060 https://access.redhat.com/errata/RHSA-2025:23060
RHSA-2025:23061 https://access.redhat.com/errata/RHSA-2025:23061
RHSA-2025:23064 https://access.redhat.com/errata/RHSA-2025:23064
RHSA-2025:23176 https://access.redhat.com/errata/RHSA-2025:23176
RHSA-2026:1942 https://access.redhat.com/errata/RHSA-2026:1942
RHSA-2026:4215 https://access.redhat.com/errata/RHSA-2026:4215
USN-8065-1 https://usn.ubuntu.com/8065-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59420.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/authlib/authlib
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/authlib/authlib/commit/6b1813e4392eb7c168c276099ff7783b176479df
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-22T18:04:06Z/ Found at https://github.com/authlib/authlib/commit/6b1813e4392eb7c168c276099ff7783b176479df
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/authlib/authlib/security/advisories/GHSA-9ggr-2464-2j32
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-22T18:04:06Z/ Found at https://github.com/authlib/authlib/security/advisories/GHSA-9ggr-2464-2j32
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-59420
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.03089
EPSS Score 0.00015
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:03:50.461759+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2025/59xxx/CVE-2025-59420.json 38.6.0