CVE-2025-61920 Overview
CVE-2025-61920 is a Denial of Service vulnerability affecting Authlib, a Python library used to build OAuth and OpenID Connect servers. The vulnerability exists in Authlib's JOSE (JSON Object Signing and Encryption) implementation, which accepts unbounded JWS (JSON Web Signature) and JWT (JSON Web Token) header and signature segments without proper size validation. A remote attacker can exploit this flaw by crafting malicious tokens with excessively large base64url-encoded header or signature segments spanning hundreds of megabytes. When Authlib attempts to verify these tokens, it decodes and parses the full input before rejection, leading to severe CPU and memory exhaustion that can bring down the affected service.
Critical Impact
Remote attackers can cause complete service denial by sending crafted JWS/JWT tokens with oversized segments, exhausting server resources and potentially impacting availability of OAuth/OIDC authentication services.
Affected Products
- Authlib versions prior to 1.6.5
Discovery Timeline
- 2025-10-10 - CVE CVE-2025-61920 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-61920
Vulnerability Analysis
This vulnerability is classified as CWE-20 (Improper Input Validation) and represents a Resource Exhaustion attack vector. The flaw resides in how Authlib's JOSE implementation handles incoming JWS and JWT tokens during the verification process. The library does not enforce size limits on the base64url-encoded segments that comprise a JWT or JWS token.
A standard JWT consists of three base64url-encoded segments separated by periods: the header, the payload, and the signature. When Authlib receives a token for verification, it fully decodes and parses each segment before performing any validation checks. An attacker can exploit this behavior by crafting tokens with massively oversized header or signature segments—potentially hundreds of megabytes in size.
The impact is significant because even a single malicious request can consume substantial server resources. The attack is network-accessible, requires no authentication or user interaction, and can be launched remotely against any service using vulnerable Authlib versions for token verification.
Root Cause
The root cause is the absence of input size validation in Authlib's JOSE token parsing logic. The library processes the entire token payload during verification without first checking whether the incoming data exceeds reasonable size limits. This allows an attacker to force the server to allocate excessive memory and CPU cycles for decoding and parsing oversized base64url-encoded data, leading to resource exhaustion before any semantic validation can reject the malformed token.
Attack Vector
The attack vector is network-based. An attacker can send HTTP requests containing maliciously crafted JWT or JWS tokens to any endpoint that uses Authlib for token verification. The attack characteristics include:
- Network-accessible: Exploitable remotely without local access
- No authentication required: Attacks can be launched by unauthenticated users
- No user interaction needed: Fully automated exploitation is possible
- Availability impact: Complete service disruption is achievable through resource exhaustion
The attacker constructs a token with an oversized base64url-encoded header or signature segment. When this token is submitted to an application endpoint that calls Authlib's verification functions, the library attempts to decode the entire payload, triggering excessive memory allocation and CPU processing. Repeated requests can amplify the denial of service effect.
Detection Methods for CVE-2025-61920
Indicators of Compromise
- Abnormally large HTTP request bodies containing JWT/JWS tokens in Authorization headers or request payloads
- Memory usage spikes on servers running Authlib-based authentication services
- Increased CPU utilization during token processing operations
- Application logs showing parsing timeouts or out-of-memory errors during token verification
Detection Strategies
- Monitor for HTTP requests containing unusually large Authorization: Bearer tokens exceeding typical JWT sizes (standard JWTs are typically under 8KB)
- Implement request size monitoring at load balancers and web application firewalls to detect oversized token submissions
- Track memory and CPU metrics on authentication services and alert on anomalous resource consumption patterns
- Review application logs for exceptions related to token parsing failures or memory allocation errors
Monitoring Recommendations
- Configure application performance monitoring (APM) to track resource usage during token verification operations
- Set up alerting thresholds for memory consumption on services using Authlib for OAuth/OIDC
- Implement request logging to capture token sizes for forensic analysis
- Monitor for repeated requests from single sources that may indicate DoS attempts
How to Mitigate CVE-2025-61920
Immediate Actions Required
- Upgrade Authlib to version 1.6.5 or later, which includes the security patch for this vulnerability
- Implement input size validation at the application layer before passing tokens to Authlib for verification
- Deploy rate limiting and request throttling on authentication endpoints to reduce amplification risk
- Configure web application firewalls to reject requests with oversized token payloads
Patch Information
Authlib version 1.6.5 patches this vulnerability by implementing proper size validation for JWS/JWT segments before processing. The fix is available via the GitHub commit. Users should update immediately using their package manager:
pip install --upgrade authlib>=1.6.5
Additional details are available in the GitHub Security Advisory. Debian users should refer to the Debian LTS Announcement for distribution-specific updates.
Workarounds
- Enforce input size limits at the application level before passing tokens to Authlib for verification
- Implement application-level request throttling to limit the rate of token verification requests per client
- Configure reverse proxies or load balancers to reject requests exceeding reasonable size thresholds
- Deploy network-level rate limiting to prevent amplification attacks from overwhelming resources
# Example: Configure nginx to limit request body size for authentication endpoints
location /oauth/ {
client_max_body_size 16k;
limit_req zone=auth_limit burst=10 nodelay;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
