Token Verification Flaw in Authlib Python Library
CVE-2025-59420

7.5HIGH

Key Information:

Vendor: Authlib
Status: Authlib
Vendor: CVE Published:; 22 September 2025

What is CVE-2025-59420?

Authlib, a Python library for building OAuth and OpenID Connect servers, has a significant flaw in its JWS verification system. Prior to version 1.6.4, the library improperly accepted tokens with critical header parameters that were not recognized. This behavior contradicts the 'must-understand' principle outlined in RFC 7515, allowing attackers to generate signed tokens with headers that some verifiers could reject. Such an oversight can lead to serious security issues, including policy bypass, replay attacks, or privilege escalation, especially in mixed-language environments. Version 1.6.4 addresses this vulnerability.

Affected Version(s)

authlib < 1.6.4

References

https://github.com/authlib/authlib/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/authlib/authlib/commit/6b1813e4392eb7c...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 22, 2025
Vulnerability Reserved
Sep 15, 2025

JSON