DEBIAN-CVE-2025-59420

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2025-59420
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-59420.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-59420
Upstream
Downstream
Published
2025-09-22T18:15:46Z
Modified
2025-10-29T05:10:32.934673Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header (for example, bork or cnf) that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation. This issue has been patched in version 1.6.4.

References

Affected packages

Debian:11 / python-authlib

Package

Name
python-authlib
Purl
pkg:deb/debian/python-authlib?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.15.4-1+deb11u1

Affected versions

0.*

0.15.4-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / python-authlib

Package

Name
python-authlib
Purl
pkg:deb/debian/python-authlib?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.0-1
1.2.1-1
1.3.0-1
1.3.0-2
1.3.0-3
1.3.1-1
1.3.2-1
1.3.2-2
1.4.0-1
1.4.1-1
1.5.0-1
1.5.1-1
1.5.2-1
1.6.0-1
1.6.1-1
1.6.3-1
1.6.4-1
1.6.5-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / python-authlib

Package

Name
python-authlib
Purl
pkg:deb/debian/python-authlib?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6.0-1
1.6.1-1
1.6.3-1
1.6.4-1
1.6.5-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / python-authlib

Package

Name
python-authlib
Purl
pkg:deb/debian/python-authlib?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.4-1

Affected versions

1.*

1.6.0-1
1.6.1-1
1.6.3-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}