CVE-2025-62706

Exploit

EPSS 0.42%
Veröffentlicht 22.10.2025 21:31:10
Zuletzt bearbeitet 03.11.2025 18:17:02
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Authlib : JWE zip=DEF decompression bomb enables DoS

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable tokens to exhaust memory and CPU and cause denial of service. This issue has been patched in version 1.6.5. Workarounds for this issue involve rejecting or stripping zip=DEF for inbound JWEs at the application boundary, forking and add a bounded decompression guard via decompressobj().decompress(data, MAX_SIZE)) and returning an error when output exceeds a safe limit, or enforcing strict maximum token sizes and fail fast on oversized inputs; combine with rate limiting.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Authlib ≫ Authlib Version < 1.6.5

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.42%	0.332

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://github.com/authlib/authlib/security/advisories/GHSA-g7f3-828f-7h7m

Third Party Advisory

Exploit

Mitigation

https://github.com/authlib/authlib/commit/e0863d5129316b1790eee5f14cece32a03b8184d

Patch

https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html

https://nvd.nist.gov/vuln/detail/CVE-2025-62706

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-62706

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-62706

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-62706