Miggo Logo
Miggo Vulnerability Database
CVE-2025-61920

CVE-2025-61920: Authlib is vulnerable to Denial of Service via Oversized JOSE Segments

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-61920
GHSA ID
GHSA-pq5p-34cr-23v9
EPSS Score
-
CWE
CWE-20
Published
10/10/2025
Updated
10/10/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
authlibpip< 1.6.51.6.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in Authlib's JOSE implementation, which failed to limit the size of JWS/JWT header and signature segments. An attacker could send a token with multi-megabyte segments, causing the server to exhaust CPU and memory while decoding and parsing them. This leads to a Denial of Service.

The analysis of the patch commit 867e3f87b072347a1ae9cf6983cc8bbf88447e5e pinpoints the vulnerable functions. The core of the issue is in authlib.jose.util.extract_segment, which performs the base64 decoding. Before the patch, it did so without any size validation. This function is called by authlib.jose.util.extract_header to process the header. The highest-level function in the call stack is authlib.jose.rfc7515.jws.JsonWebSignature.deserialize_compact, which takes the full serialized token as input.

The patch mitigates the vulnerability by adding size checks in all three functions. JsonWebSignature.deserialize_compact now checks the total length of the token, while extract_header and extract_segment check the length of the individual segments before attempting to decode them. During an exploit, these functions would be the primary consumers of system resources, making them key indicators in a runtime profile.

Vulnerable functions

JsonWebSignature.deserialize_compact
authlib/jose/rfc7515/jws.py
This function is the entry point for deserializing a compact JWS. It was vulnerable because it accepted an arbitrarily large input string `s` and proceeded to split and process it, leading to excessive resource consumption. The patch adds a check on the total length of the input string as a first line of defense.
extract_header
authlib/jose/util.py
This function processes the header segment of a JWS/JWT. It was vulnerable because it would process an oversized header segment before passing it to `extract_segment`. The patch adds a size limit before any processing happens.
extract_segment
authlib/jose/util.py
This function is responsible for base64 decoding segments of a JWS/JWT. Before the patch, it lacked a size check, allowing an attacker to force the decoding of excessively large segments, leading to a denial of service through resource exhaustion. The patch adds a check to limit the segment size.

WAF Protection Rules

WAF Rule

**Summ*ry** *ut*li*’s JOS* impl*m*nt*tion ****pts un*oun*** JWS/JWT *****r *n* si*n*tur* s**m*nts. * r*mot* *tt**k*r **n *r**t * tok*n w*os* **s***url‑*n*o*** *****r or si*n*tur* sp*ns *un*r**s o* m****yt*s. *urin* v*ri*i**tion, *ut*li* ***o**s *n* p

Reasoning

T** vuln*r**ility li*s in *ut*li*'s JOS* impl*m*nt*tion, w*i** **il** to limit t** siz* o* JWS/JWT *****r *n* si*n*tur* s**m*nts. *n *tt**k*r *oul* s*n* * tok*n wit* multi-m****yt* s**m*nts, **usin* t** s*rv*r to *x**ust *PU *n* m*mory w*il* ***o*in*