Information Disclosure in joserfc Python Library
CVE-2025-65015

9.2CRITICAL

Key Information:

Vendor

Authlib

Status
Joserfc
Vendor
CVE Published:
18 November 2025

What is CVE-2025-65015?

The joserfc Python library, which implements JSON Object Signing and Encryption (JOSE) standards, has a vulnerability that may allow attackers to exploit the ExceededSizeError exception. This occurs in specific versions where non-decoded JWT token segments are logged, enabling the possibility to generate excessively large log messages. If a susceptible Python web application is deployed without a properly configured web server, attackers can exploit this to send oversized bearer tokens in HTTP request headers. Consequently, logging tools such as Sentry can be overwhelmed with large JWT payload entries during the decoding process. This issue is resolved in the later versions 1.3.5 and 1.4.2.

Affected Version(s)

joserfc >= 1.3.3, < 1.3.5 < 1.3.3, 1.3.5

joserfc >= 1.4.0, < 1.4.2 < 1.4.0, 1.4.2

References

https://github.com/authlib/joserfc/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/authlib/joserfc/commit/63932f169d924ca...
x_refsource_MISC
https://github.com/authlib/joserfc/commit/673c8743fd0605b...
x_refsource_MISC

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.