CVE-2025-61920
BaseFortify
Publication date: 2025-10-10
Last updated on: 2025-11-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| authlib | authlib | to 1.6.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Authlib's JOSE implementation allows a remote attacker to craft a token with an extremely large base64url-encoded header or signature segment. When Authlib attempts to verify such a token, it decodes and parses the entire large input, causing excessive CPU and memory usage. This can lead to a denial of service condition.
How can this vulnerability impact me? :
The vulnerability can cause denial of service by consuming excessive CPU and memory resources during token verification. This can make the affected service unavailable or degrade its performance, impacting availability.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Authlib to version 1.6.5 or later. As temporary workarounds, enforce input size limits on tokens before passing them to Authlib and implement application-level throttling to reduce the risk of denial of service attacks.