Insufficient Verification of Data Authenticity in Authlib

CVE-2025-59420

Authlib

High

7.5/10

Summary

Authlib is a Python library that builds OAuth and OpenID Connect servers. In versions prior to 1.6.4, Authlib's JWS verification accepts tokens that declare unknown critical header parameters ("crit"), violating RFC 7515 "must-understand" semantics. An attacker can craft a signed token with a critical header (for example, "bork" or "cnf") that strict verifiers reject, but Authlib accepts. In mixed-language fleets, this enables split-brain verification and can lead to policy bypass, replay attacks, or privilege escalation.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-345 - Insufficient Verification of Data Authenticity

The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

References

Advisory

Advisory Timeline

Published Sep 22, 2025

Insufficient Verification of Data Authenticity in Authlib

CVE-2025-59420

Summary

CWE-345 - Insufficient Verification of Data Authenticity

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS