Unbounded DEFLATE Decompression Vulnerability in Authlib Python Library
Posted: Thu Oct 23, 2025 11:57 am
Authlib, a Python library utilized for building OAuth and OpenID Connect servers, has a significant vulnerability associated with its handling of JWE tokens. Specifically, prior to version 1.6.5, the library's implementation allows for unbounded DEFLATE decompression when the zip=DEF parameter is present. This weakness enables attackers to craft small ciphertexts that can expand excessively upon decryption, potentially leading to substantial memory and CPU resource consumption and resulting in denial-of-service (DoS) conditions.
https://securityvulnerability.io/vulner ... 2025-62706
https://securityvulnerability.io/vulner ... 2025-62706