Unbounded DEFLATE Decompression Vulnerability in Authlib Python Library
CVE-2025-62706

6.5MEDIUM

Key Information:

Vendor: Authlib
Status: Authlib
Vendor: CVE Published:; 22 October 2025

What is CVE-2025-62706?

Authlib, a Python library utilized for building OAuth and OpenID Connect servers, has a significant vulnerability associated with its handling of JWE tokens. Specifically, prior to version 1.6.5, the library's implementation allows for unbounded DEFLATE decompression when the zip=DEF parameter is present. This weakness enables attackers to craft small ciphertexts that can expand excessively upon decryption, potentially leading to substantial memory and CPU resource consumption and resulting in denial-of-service (DoS) conditions. Users are encouraged to upgrade to version 1.6.5 or implement recommended workarounds, such as rejecting or modifying inbound JWEs with zip=DEF at the application boundary, applying bounded decompression techniques, and enforcing strict input limits combined with rate limiting to mitigate this risk.

Affected Version(s)

authlib < 1.6.5

References

https://github.com/authlib/authlib/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/authlib/authlib/commit/e0863d5129316b1...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 22, 2025
Vulnerability Reserved
Oct 20, 2025

JSON