Moderate severityNVD Advisory· Published Oct 22, 2025· Updated Nov 3, 2025

Authlib : JWE zip=DEF decompression bomb enables DoS

CVE-2025-62706

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable tokens to exhaust memory and CPU and cause denial of service. This issue has been patched in version 1.6.5. Workarounds for this issue involve rejecting or stripping zip=DEF for inbound JWEs at the application boundary, forking and add a bounded decompression guard via decompressobj().decompress(data, MAX_SIZE)) and returning an error when output exceeds a safe limit, or enforcing strict maximum token sizes and fail fast on oversized inputs; combine with rate limiting.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
authlibPyPI	< 1.6.5	1.6.5

Affected products

Authlib/Authlibv5
Range: < 1.6.5

Patches

e0863d512931

Merge pull request #830 from authlib/fix-GHSA-g7f3-828f-7h7m

https://github.com/authlib/authlibHsiaoming YangOct 2, 2025via ghsa

commit

1 file changed · +15 −4

authlib/jose/rfc7518/jwe_zips.py+15 −4 modified

@@ -3,20 +3,31 @@
 from ..rfc7516 import JsonWebEncryption
 from ..rfc7516 import JWEZipAlgorithm
 
+GZIP_HEAD = bytes([120, 156])
+MAX_SIZE = 250 * 1024
+
 
 class DeflateZipAlgorithm(JWEZipAlgorithm):
     name = "DEF"
     description = "DEFLATE"
 
-    def compress(self, s):
+    def compress(self, s: bytes) -> bytes:
         """Compress bytes data with DEFLATE algorithm."""
         data = zlib.compress(s)
-        # drop gzip headers and tail
+        # https://datatracker.ietf.org/doc/html/rfc1951
+        # since DEF is always gzip, we can drop gzip headers and tail
         return data[2:-4]
 
-    def decompress(self, s):
+    def decompress(self, s: bytes) -> bytes:
         """Decompress DEFLATE bytes data."""
-        return zlib.decompress(s, -zlib.MAX_WBITS)
+        if s.startswith(GZIP_HEAD):
+            decompressor = zlib.decompressobj()
+        else:
+            decompressor = zlib.decompressobj(-zlib.MAX_WBITS)
+        value = decompressor.decompress(s, MAX_SIZE)
+        if decompressor.unconsumed_tail:
+            raise ValueError(f"Decompressed string exceeds {MAX_SIZE} bytes")
+        return value
 
 
 def register_jwe_rfc7518():

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-g7f3-828f-7h7mghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-62706ghsaADVISORY
github.com/authlib/authlib/commit/e0863d5129316b1790eee5f14cece32a03b8184dghsax_refsource_MISCWEB
github.com/authlib/authlib/security/advisories/GHSA-g7f3-828f-7h7mghsax_refsource_CONFIRMWEB
lists.debian.org/debian-lts-announce/2025/10/msg00032.htmlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000