-------------------------------------------------------------------------
Debian LTS Advisory DLA-4352-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
October 29, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : python-authlib
Version : 0.15.4-1+deb11u1
CVE ID : CVE-2024-37568 CVE-2025-59420 CVE-2025-61920 CVE-2025-62706
Multiple vulnerabilities have been found in python-authlib, a Python
library for OAuth and OpenID Connect servers.
CVE-2024-37568
Unless an algorithm is specified in a jwt.decode call, HMAC verification
is allowed with any asymmetric public key.
CVE-2025-59420
Authlib’s JWS verification accepts tokens that declare unknown critical
header parameters (crit), violating RFC 7515 “must‑understand” semantics.
An attacker can craft a signed token with a critical header that strict
verifiers reject but Authlib accepts. In mixed‑language fleets, this
enables split‑brain verification and can lead to policy bypass, replay,
or privilege escalation.
CVE-2025-61920
Authlib’s JOSE implementation accepts unbounded JWS/JWT header and
signature segments which can lead to a DoS during verification.
CVE-2025-62706
Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression
which can lead to a DoS.
For Debian 11 bullseye, these problems have been fixed in version
0.15.4-1+deb11u1.
We recommend that you upgrade your python-authlib packages.
For the detailed security status of python-authlib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-authlib
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: This is a digitally signed message part