HIGH🇬🇧 English

CVE-2025-59420

CVSS 7.5v3.1pub. 2025-09-22upd. 2025-11-03

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header (for example, bork or cnf) that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation. This issue has been patched in version 1.6.4.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • Authlib

    APP
    Authlib
    < 1.6.4
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
LPE
CWE
Referencje

Powiązane podatności

CVE-2026-27962CRITICAL9.1PL ✓ten sam produkt

Authlib: JWK Header Injection umożliwia fałszowanie tokenów JWT

CVE-2026-28498HIGH8.2ten sam produkt

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-l...

CVE-2026-28490HIGH8.3ten sam produkt

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptogra...

CVE-2026-28802HIGH7.7ten sam produkt

Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before versio...

CVE-2025-61920HIGH7.5ten sam produkt

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s J...