UBUNTU-CVE-2025-61920

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2025-61920

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-61920.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-61920

Upstream

CVE-2025-61920

Published

2025-10-10T20:15:00Z

Modified

2025-10-16T08:02:49.230129Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds of megabytes. During verification, Authlib decodes and parses the full input before it is rejected, driving CPU and memory consumption to hostile levels and enabling denial of service. Version 1.6.5 patches the issue. Some temporary workarounds are available. Enforce input size limits before handing tokens to Authlib and/or use application-level throttling to reduce amplification risk.

References

Affected packages

Ubuntu:22.04:LTS / python-authlib

Package

Name: python-authlib
Purl: pkg:deb/ubuntu/python-authlib@0.15.5-1?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.15.4-1

0.15.5-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.15.5-1",
            "binary_name": "python3-authlib"
        }
    ]
}

Ubuntu:24.04:LTS / python-authlib

Package

Name: python-authlib
Purl: pkg:deb/ubuntu/python-authlib@1.3.0-1?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.1-1

1.3.0-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.3.0-1",
            "binary_name": "python3-authlib"
        }
    ]
}

Ubuntu:25.10 / python-authlib

Package

Name: python-authlib
Purl: pkg:deb/ubuntu/python-authlib@1.6.0-1?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.5.1-1

1.5.2-1

1.6.0-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.6.0-1",
            "binary_name": "python3-authlib"
        }
    ]
}

Ubuntu:25.04 / python-authlib

Package

Name: python-authlib
Purl: pkg:deb/ubuntu/python-authlib@1.5.1-1?arch=source&distro=plucky

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.3.2-1

1.3.2-2

1.4.0-1

1.4.1-1

1.5.1-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.5.1-1",
            "binary_name": "python3-authlib"
        }
    ]
}