CVE-2025-61920: 
Python vulnerability analysis and mitigation

Authlib, a Python library for building OAuth and OpenID Connect servers, was found to contain a vulnerability (CVE-2025-61920) in versions prior to 1.6.5. The vulnerability lies in Authlib's JOSE implementation, which accepts unbounded JWS/JWT header and signature segments. This vulnerability was discovered and disclosed on October 10, 2025 (GitHub Advisory).

The vulnerability stems from the JOSE implementation's failure to limit the size of JWS/JWT header and signature segments. A remote attacker can craft a token with base64url-encoded header or signature segments spanning hundreds of megabytes. During verification, Authlib processes the entire input before rejection, leading to excessive CPU and memory consumption. On a test system, verifying a 500 MB header consumed approximately 4 GB RSS and 9 seconds of CPU time before failing. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The vulnerability enables denial of service attacks through resource exhaustion. When processing malicious tokens, affected systems experience high CPU utilization and significant memory allocation, potentially exhausting service capacity with a single request. The attack requires no authentication and can be executed by any remote attacker with network access to the target system (GitHub Advisory).

The vulnerability has been patched in version 1.6.5, which introduces decoded size limits of 256 KB for both header and signature segments. For systems unable to immediately update, temporary workarounds include implementing input size limits before passing tokens to Authlib and using application-level throttling to reduce amplification risk. Additionally, it is recommended to reject JWS/JWT inputs above a few kilobytes at the proxy or WAF layer and implement rate-limiting on verification endpoints (GitHub Advisory).