CVE-2025-62706

Published: Oct 22, 2025

Modified: Nov 3, 2025

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable tokens to exhaust memory and CPU and cause denial of service. This issue has been patched in version 1.6.5. Workarounds for this issue involve rejecting or stripping zip=DEF for inbound JWEs at the application boundary, forking and add a bounded decompression guard via decompressobj().decompress(data, MAX_SIZE)) and returning an error when output exceeds a safe limit, or enforcing strict maximum token sizes and fail fast on oversized inputs; combine with rate limiting.

Vendor	Product	Versions
authlib	authlib	affected `< 1.6.5`

Weaknesses (CWE)

CWE-400

CWE-770

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/authlib/authlib/security/advisories/GHSA-g7f3-828f-7h7m

x_refsource_CONFIRM

https://github.com/authlib/authlib/commit/e0863d5129316b1790eee5f14cece32a03b8184d

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-62706

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References