CVE-2025-59420

HIGH EPSS 15.5%
Published Sep 22, 20259mo ago · Modified Jun 17, 20261w ago
7.5 CVSS 3.1
High
Find Similar
Published Sep 22, 2025 9mo ago
Last Modified Jun 17, 2026 1w ago

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header (for example, bork or cnf) that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation. This issue has been patched in version 1.6.4.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
15.5% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-345
CWE-863 Incorrect Authorization Authorization

Affected Products 1

VendorProductVersionRange
authlibauthlib* <1.6.4

References 3

  • github.com https://github.com/authlib/authlib/commit/6b1813e4392eb7c168c276099ff7783b176479df
    Patch
  • github.com https://github.com/authlib/authlib/security/advisories/GHSA-9ggr-2464-2j32
    ExploitVendor Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html

Remediation

  • github.com https://github.com/authlib/authlib/commit/6b1813e4392eb7c168c276099ff7783b176479df
    Patch