Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2025-62706
Modified
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-22 Oct, 2025 | 22:15
Updated At-03 Nov, 2025 | 18:17

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable tokens to exhaust memory and CPU and cause denial of service. This issue has been patched in version 1.6.5. Workarounds for this issue involve rejecting or stripping zip=DEF for inbound JWEs at the application boundary, forking and add a bounded decompression guard via decompressobj().decompress(data, MAX_SIZE)) and returning an error when output exceeds a safe limit, or enforcing strict maximum token sizes and fail fast on oversized inputs; combine with rate limiting.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CPE Matches
authlib
authlib
>>authlib>>Versions before 1.6.5(exclusive)
cpe:2.3:a:authlib:authlib:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-400Secondarysecurity-advisories@github.com
CWE-770Secondarysecurity-advisories@github.com
CWE ID: CWE-400
Type: Secondary
Source: security-advisories@github.com
CWE ID: CWE-770
Type: Secondary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/authlib/authlib/commit/e0863d5129316b1790eee5f14cece32a03b8184dsecurity-advisories@github.com
Patch
https://github.com/authlib/authlib/security/advisories/GHSA-g7f3-828f-7h7msecurity-advisories@github.com
Exploit
Mitigation
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/10/msg00032.htmlaf854a3a-2127-422b-91ae-364da2661108
N/A
Hyperlink: https://github.com/authlib/authlib/commit/e0863d5129316b1790eee5f14cece32a03b8184d
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/authlib/authlib/security/advisories/GHSA-g7f3-828f-7h7m
Source: security-advisories@github.com
Resource:
Exploit
Mitigation
Third Party Advisory
Hyperlink: https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Change History
0Changes found
Details not found