2403179 – (CVE-2025-61920) CVE-2025-61920 authlib: Authlib Denial of Service

Bug 2403179 (CVE-2025-61920) - CVE-2025-61920 authlib: Authlib Denial of Service

Summary: CVE-2025-61920 authlib: Authlib Denial of Service

Keywords:
Status:	NEW
Alias:	CVE-2025-61920
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-10-10 20:01 UTC by OSIDB Bzimport
Modified:	2025-10-10 21:00 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-10-10 20:01:38 UTC

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes. During verification, Authlib decodes and parses the full input before it is rejected, driving CPU and memory consumption to hostile levels and enabling denial of service. Version 1.6.5 patches the issue. Some temporary workarounds are available. Enforce input size limits before handing tokens to Authlib and/or use application-level throttling to reduce amplification risk.

Note You need to log in before you can comment on or make changes to this bug.