vulnerability

Debian: CVE-2025-59420: python-authlib -- security update

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:N/C:N/I:C/A:N)	Oct 30, 2025	Oct 30, 2025	Oct 30, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:C/A:N)

Published

Oct 30, 2025

Added

Oct 30, 2025

Modified

Oct 30, 2025

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlibâs JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 âmustâunderstandâ semantics. An attacker can craft a signed token with a critical header (for example, bork or cnf) that strict verifiers reject but Authlib accepts. In mixedâlanguage fleets, this enables splitâbrain verification and can lead to policy bypass, replay, or privilege escalation. This issue has been patched in version 1.6.4.

Solution

debian-upgrade-python-authlib

References

CVE-2025-59420
https://attackerkb.com/topics/CVE-2025-59420
CWE-345
CWE-863
DEBIAN-DLA-4352-1

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today