CVE-2025-61920: 
Python vulnerability analysis and mitigation

Authlib, a Python library for building OAuth and OpenID Connect servers, was found to contain a vulnerability (CVE-2025-61920) in versions prior to 1.6.5. The vulnerability was discovered and disclosed on October 10, 2025. The issue lies in Authlib's JOSE implementation, which accepts unbounded JWS/JWT header and signature segments, allowing remote attackers to craft tokens with oversized base64url-encoded headers or signatures (GitHub Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue is categorized under multiple CWE categories including CWE-770 (Allocation of Resources Without Limits or Throttling), CWE-400 (Uncontrolled Resource Consumption), and CWE-20 (Improper Input Validation). During testing, a 500 MB header consumed approximately 4 GB RSS and 9 seconds of CPU time before failing (Miggo).

The vulnerability enables a denial of service attack through resource exhaustion. When verifying malicious tokens, Authlib decodes and parses the full input before rejection, leading to excessive CPU and memory consumption. A single request can exhaust service capacity, with observed behavior showing significant resource consumption - approximately 4 GB of RAM and 9 seconds of CPU time for processing a 500 MB header (GitHub Advisory).

The vulnerability is patched in version 1.6.5, which introduces size limitations of 256 KB for both header and signature segments. For users unable to upgrade immediately, temporary workarounds include enforcing input size limits before passing tokens to Authlib and implementing application-level throttling to reduce amplification risk. Additional defense-in-depth measures include rejecting JWS/JWT inputs above a few kilobytes at the proxy or WAF layer (Red Hat, GitHub Advisory).