CVE-2025-59420
Publication date 22 September 2025
Last updated 27 February 2026
Ubuntu priority
Description
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.4, Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (crit), violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header (for example, bork or cnf) that strict verifiers reject but Authlib accepts. In mixed‑language fleets, this enables split‑brain verification and can lead to policy bypass, replay, or privilege escalation. This issue has been patched in version 1.6.4.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python-authlib | 25.10 questing |
Vulnerable
|
| 24.04 LTS noble |
Fixed 1.3.0-1ubuntu0.1~esm1
|
|
| 22.04 LTS jammy |
Fixed 0.15.5-1ubuntu0.1~esm1
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialSeverity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-8065-1
- Authlib vulnerabilities
- 25 February 2026