CVE-2025-59420: 
Python vulnerability analysis and mitigation

Authlib, a Python library for building OAuth and OpenID Connect servers, was found to have a security vulnerability (CVE-2025-59420) in versions prior to 1.6.4. The vulnerability relates to JWS verification accepting tokens that declare unknown critical header parameters (crit), which violates RFC 7515 'must-understand' semantics. This vulnerability was discovered and disclosed on September 20, 2025, affecting all versions up to 1.6.3 (GitHub Advisory).

The vulnerability stems from Authlib's improper handling of the 'crit' (critical) header parameter in JWS tokens. When processing tokens containing unknown critical headers, Authlib incorrectly accepts and verifies them instead of rejecting them as required by RFC 7515 §4.1.11. The issue has been assigned a CVSS v3.1 Base Score of 7.5 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The vulnerability is classified under CWE-345 (Insufficient Verification of Data Authenticity) and CWE-863 (Incorrect Authorization) (GitHub Advisory).

The vulnerability enables attackers to craft signed tokens with critical headers (such as 'bork' or 'cnf') that strict verifiers reject but Authlib accepts. In mixed-language environments, this creates a split-brain verification scenario where some components reject tokens while Authlib-based services accept them. This can lead to policy bypass, replay attacks, or privilege escalation, particularly when critical headers carry security-sensitive semantics such as token binding (GitHub Advisory).

The vulnerability has been patched in Authlib version 1.6.4. Users should upgrade to this version or later. The fix involves proper enforcement of the 'crit' header during verification, rejecting tokens that list any critical parameter that is not explicitly understood and enforced (GitHub Advisory, GitHub Commit).