CVE-2025-62706
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-22

Last updated on: 2025-11-03

Assigner: GitHub, Inc.

Description
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable tokens to exhaust memory and CPU and cause denial of service. This issue has been patched in version 1.6.5. Workarounds for this issue involve rejecting or stripping zip=DEF for inbound JWEs at the application boundary, forking and add a bounded decompression guard via decompressobj().decompress(data, MAX_SIZE)) and returning an error when output exceeds a safe limit, or enforcing strict maximum token sizes and fail fast on oversized inputs; combine with rate limiting.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-22
Last Modified
2025-11-03
Generated
2026-06-16
AI Q&A
2025-10-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62706
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
authlib authlib to 1.6.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Authlib versions prior to 1.6.5, where the JWE zip=DEF path performs unbounded DEFLATE decompression. This means that a very small ciphertext can decompress into a very large amount of data (tens or hundreds of megabytes), allowing an attacker who can supply decryptable tokens to exhaust system memory and CPU resources, causing a denial of service.

Impact Analysis

The vulnerability can lead to denial of service by exhausting memory and CPU resources when processing specially crafted tokens. This can degrade or disrupt the availability of services relying on Authlib for OAuth or OpenID Connect token processing.

Detection Guidance

This vulnerability can be detected by identifying if your system is using Authlib versions prior to 1.6.5 that perform unbounded DEFLATE decompression on JWE tokens with zip=DEF. Detection involves checking the Authlib version in use and monitoring for unusually large decompression operations or memory/CPU exhaustion during token processing. Specific commands are not provided in the available information.

Mitigation Strategies

Immediate mitigation steps include upgrading Authlib to version 1.6.5 or later where the issue is patched; rejecting or stripping the zip=DEF parameter for inbound JWEs at the application boundary; implementing a bounded decompression guard using decompressobj().decompress(data, MAX_SIZE) to limit decompression output size and return an error if exceeded; enforcing strict maximum token sizes and failing fast on oversized inputs; and combining these with rate limiting to reduce the risk of denial of service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62706. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart