CVE-2025-62706

MEDIUM

Authlib < 1.6.5 - Denial of Service

Title source: rule

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable tokens to exhaust memory and CPU and cause denial of service. This issue has been patched in version 1.6.5. Workarounds for this issue involve rejecting or stripping zip=DEF for inbound JWEs at the application boundary, forking and add a bounded decompression guard via decompressobj().decompress(data, MAX_SIZE)) and returning an error when output exceeds a safe limit, or enforcing strict maximum token sizes and fail fast on oversized inputs; combine with rate limiting.

References (3)

Core 3

Core References

Exploit, Mitigation, Third Party Advisory x_refsource_confirm

https://github.com/authlib/authlib/security/advisories/GHSA-g7f3-828f-7h7m

Patch x_refsource_misc

https://github.com/authlib/authlib/commit/e0863d5129316b1790eee5f14cece32a03b8184d

View Patch ZIP pw:eip

Mailing List

https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html

Scores

CVSS v3 6.5

EPSS 0.0013

EPSS Percentile 32.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-770 CWE-400

Status published

Products (2)

authlib/authlib < 1.6.5

pypi/authlib 0 - 1.6.5PyPI

Published Oct 22, 2025

Tracked Since Feb 18, 2026