CVE-2025-59420: 
Python vulnerability analysis and mitigation

Authlib, a Python library for building OAuth and OpenID Connect servers, was found to have a security vulnerability (CVE-2025-59420) prior to version 1.6.4. The vulnerability was discovered and disclosed on September 22, 2025. The issue affects the JWS verification functionality, which incorrectly accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 'must-understand' semantics (GitHub Advisory).

The vulnerability stems from Authlib's JWS verification process not properly enforcing the RFC 7515 §4.1.11 requirements for critical header parameters. When a compact JWS contains a protected header with unknown parameters listed in 'crit' (such as 'cnf' or 'bork'), Authlib verifies the signature and returns the payload without rejecting the token or enforcing semantics of the critical parameter. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (GitHub Advisory, NVD).

The vulnerability can lead to split-brain verification in heterogeneous environments where different JWT verifiers are used. While strict verifiers (like Java Nimbus JOSE+JWT or Node jose v5) correctly reject tokens with unknown critical parameters, Authlib accepts them. This inconsistency can enable policy bypass, replay attacks, or privilege escalation, particularly when 'crit' carries binding or policy information (GitHub Advisory).

The vulnerability has been patched in Authlib version 1.6.4. The fix enforces proper validation of critical header parameters during verification, rejecting tokens that list any critical parameter that is not explicitly understood and enforced. Users are advised to upgrade to version 1.6.4 or later (GitHub Advisory).