CVE-2025-62706: Authlib : JWE zip=DEF decompression bomb enables DoS
(updated )
Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable tokens to exhaust memory and CPU and cause denial of service.
References
- github.com/advisories/GHSA-g7f3-828f-7h7m
- github.com/authlib/authlib
- github.com/authlib/authlib/commit/e0863d5129316b1790eee5f14cece32a03b8184d
- github.com/authlib/authlib/security/advisories/GHSA-g7f3-828f-7h7m
- lists.debian.org/debian-lts-announce/2025/10/msg00032.html
- nvd.nist.gov/vuln/detail/CVE-2025-62706
Code Behaviors & Features
Detect and mitigate CVE-2025-62706 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →