GHSA-g7f3-828f-7h7m: 
Python vulnerability analysis and mitigation

A vulnerability in Authlib's JWE zip=DEF implementation (GHSA-g7f3-828f-7h7m) was discovered, affecting versions prior to 1.6.5. The vulnerability allows attackers to perform denial of service attacks through unbounded DEFLATE decompression. The issue was disclosed and patched on October 10, 2025, with a CVSS score of 6.5 (Moderate) (GitHub Advisory).

The vulnerability exists in Authlib's JOSE JWE zip=DEF (DEFLATE) support. The DeflateZipAlgorithm.decompress method in authlib/jose/rfc7518/jwe_zips.py calls zlib.decompress(s, -zlib.MAX_WBITS) without implementing a maximum output limit. When the protected header contains 'zip': 'DEF', the JWE decode flow processes the decrypted ciphertext through the decompress method without any streaming limit or quota. The CVSS base vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, and high availability impact (GitHub Advisory).

The vulnerability enables denial of service attacks through memory and CPU exhaustion during JWE token decryption. A small ciphertext can expand into tens or hundreds of megabytes during decryption, with demonstration showing that a 4KB ciphertext can decompress to 50MB, consuming significant system resources. This affects any service using Authlib to decrypt JWE tokens with zip=DEF where attackers can submit decryptable tokens (GitHub Advisory).

Several mitigation strategies are recommended: 1) Reject or strip zip=DEF for inbound JWEs at the application boundary until patching, 2) Implement a bounded decompression guard using zlib.decompress with max_length parameter, 3) Enforce strict maximum token sizes and implement rate limiting. The vulnerability is patched in version 1.6.5, which implements proper decompression limits (GitHub Advisory).