GHSA-g7f3-828f-7h7m: Authlib : JWE zip=DEF decompression bomb enables DoS

October 10, 2025

Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable tokens to exhaust memory and CPU and cause denial of service.

References

github.com/advisories/GHSA-g7f3-828f-7h7m
github.com/authlib/authlib
github.com/authlib/authlib/commit/e0863d5129316b1790eee5f14cece32a03b8184d
github.com/authlib/authlib/security/advisories/GHSA-g7f3-828f-7h7m

Code Behaviors & Features

Detect and mitigate GHSA-g7f3-828f-7h7m with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →