rpm package
suse/python-Authlib&distro=SUSE Linux Enterprise Module for Python 3 15 SP6
pkg:rpm/suse/python-Authlib&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP6
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-62706 | — | < 1.3.1-150600.3.9.1 | 1.3.1-150600.3.9.1 | Oct 22, 2025 | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can s | ||
| CVE-2025-61920 | — | < 1.3.1-150600.3.6.1 | 1.3.1-150600.3.6.1 | Oct 10, 2025 | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds | ||
| CVE-2024-37568 | — | < 1.3.1-150600.3.3.1 | 1.3.1-150600.3.3.1 | Jun 9, 2024 | lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.) |
- CVE-2025-62706Oct 22, 2025affected < 1.3.1-150600.3.9.1fixed 1.3.1-150600.3.9.1
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can s
- CVE-2025-61920Oct 10, 2025affected < 1.3.1-150600.3.6.1fixed 1.3.1-150600.3.6.1
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url‑encoded header or signature spans hundreds
- CVE-2024-37568Jun 9, 2024affected < 1.3.1-150600.3.3.1fixed 1.3.1-150600.3.3.1
lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)