CVE-2025-59420

Published: Sep 22, 2025

Modified: Nov 3, 2025

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header (for example, bork or cnf) that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation. This issue has been patched in version 1.6.4.

Vendor	Product	Versions
authlib	authlib	affected `< 1.6.4`

Weaknesses (CWE)

CWE-345

CWE-863

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

References

https://github.com/authlib/authlib/security/advisories/GHSA-9ggr-2464-2j32

x_refsource_CONFIRM

https://github.com/authlib/authlib/commit/6b1813e4392eb7c168c276099ff7783b176479df

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-59420

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References