Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible...

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header (for example, bork or cnf) that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation. This issue has been patched in version 1.6.4.

Basic Information

ID CVE-2025-59420

Source GitHub_M

Published Sep 22, 2025 at 17:28

Affected Product

Vendor authlib

Product authlib

Version < 1.6.4

Affected Versions authlib authlib < 1.6.4

CWE Classification

CWE-345 CWE-863

References

{
    "lastseen": "",
    "description": "Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib\u2019s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 \u201cmust\u2011understand\u201d semantics. An attacker can craft a signed token with a critical header (for example, bork or cnf) that strict verifiers reject but Authlib accepts. In mixed\u2011language fleets, this enables split\u2011brain verification and can lead to policy bypass, replay, or privilege escalation. This issue has been patched in version 1.6.4.",
    "published": "2025-09-22T17:28:53.869Z",
    "modified": "2025-09-22T17:28:53.869Z",
    "type": "cve",
    "title": "Authlib: JWS/JWT accepts unknown crit headers (RFC violation \u2192 possible authz bypass)",
    "source": "GitHub_M",
    "references": "https://github.com/authlib/authlib/security/advisories/GHSA-9ggr-2464-2j32\nhttps://github.com/authlib/authlib/commit/6b1813e4392eb7c168c276099ff7783b176479df",
    "id": "CVE-2025-59420",
    "bulletinFamily": "",
    "cwe": [
        "CWE-345",
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "authlib authlib < 1.6.4",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "authlib",
    "version": "< 1.6.4",
    "vendor": "authlib",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)_CVE-2025-59420