CVE-2025-59420

CVE Database · CVE-2025-59420

CVE-2025-59420

· HIGHModified

CVSS v3.1

7.5

EPSS

0.24%

Published

Sep 22, 2025

Modified

Nov 3, 2025

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header (for example, bork or cnf) that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation. This issue has been patched in version 1.6.4.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Weaknesses (CWE)

CWE-345CWE-863CWE-345

Affected Products (1)

authlib · authlib (up to 1.6.4)vulnerable

References (3)

https://github.com/authlib/authlib/commit/6b1813e4392eb7c168c276099ff7783b176479df

Patch

https://github.com/authlib/authlib/security/advisories/GHSA-9ggr-2464-2j32

ExploitVendor Advisory

https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html

KEV Catalog EPSS Scores Vendors All CVEs