Packages
- python-authlib - Python library for building OAuth and OpenID Connect servers
Details
Millie Solem discovered that Authlib did not properly restrict algorithm
selection during JWT verification, allowing HMAC verification with
asymmetric public keys when no algorithm was specified. A remote attacker
could possibly use this issue to bypass signature verification and forge
tokens, resulting in authentication bypass or privilege escalation.
(CVE-2024-37568)
Muhammad Noman Ilyas discovered that Authlib did not properly enforce
critical header parameter handling during JSON Web Signature verification,
leading to unknown critical parameters being incorrectly accepted. A remote
attacker could possibly use this issue to bypass security policies in mixed
deployments, resulting in authentication bypass, replay attacks, or
privilege escalation. (CVE-2025-59420)
Muhammad Noman Ilyas discovered that Authlib did not properly limit the
size of...
Millie Solem discovered that Authlib did not properly restrict algorithm
selection during JWT verification, allowing HMAC verification with
asymmetric public keys when no algorithm was specified. A remote attacker
could possibly use this issue to bypass signature verification and forge
tokens, resulting in authentication bypass or privilege escalation.
(CVE-2024-37568)
Muhammad Noman Ilyas discovered that Authlib did not properly enforce
critical header parameter handling during JSON Web Signature verification,
leading to unknown critical parameters being incorrectly accepted. A remote
attacker could possibly use this issue to bypass security policies in mixed
deployments, resulting in authentication bypass, replay attacks, or
privilege escalation. (CVE-2025-59420)
Muhammad Noman Ilyas discovered that Authlib did not properly limit the
size of JSON Web Signature or JSON Web Token header and signature segments.
A remote attacker could possibly use this issue to cause excessive memory
or processor consumption, leading to a denial of service. (CVE-2025-61920)
Muhammad Noman Ilyas discovered that Authlib performed unbounded
decompression when processing certain compressed encrypted tokens. A remote
attacker could possibly use this issue to send a specially crafted token
that can be expanded to a large size during decompression, causing a denial
of service. (CVE-2025-62706)
It was discovered that Authlib did not properly bind cached state
information to the initiating user session during OAuth authentication
flows. A remote attacker could possibly use this issue to perform cross-
site request forgery attacks, resulting in unauthorized actions or
authentication bypass. This issue only affected Ubuntu 24.04 LTS.
(CVE-2025-68158)
Update instructions
In general, a standard system update will make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 24.04 LTS noble | python-authlib-doc – 1.3.0-1ubuntu0.1~esm1 | ||
| python3-authlib – 1.3.0-1ubuntu0.1~esm1 | |||
| 22.04 LTS jammy | python-authlib-doc – 0.15.5-1ubuntu0.1~esm1 | ||
| python3-authlib – 0.15.5-1ubuntu0.1~esm1 | |||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.