CVE-2025-65015: joserfc has Possible Uncontrolled Resource Consumption Vulnerability Triggered by Logging Arbitrarily Large JWT Token Payloads
(updated )
The ExceededSizeError exception messages are embedded with non-decoded JWT token parts and may cause Python logging to record an arbitrarily large, forged JWT payload.
References
- github.com/advisories/GHSA-frfh-8v73-gjg4
- github.com/authlib/joserfc
- github.com/authlib/joserfc/commit/63932f169d924caffafa761af2122b82059017f7
- github.com/authlib/joserfc/commit/673c8743fd0605b0e1de6452be6cba75f44e466b
- github.com/authlib/joserfc/releases/tag/1.3.5
- github.com/authlib/joserfc/releases/tag/1.4.2
- github.com/authlib/joserfc/security/advisories/GHSA-frfh-8v73-gjg4
- nvd.nist.gov/vuln/detail/CVE-2025-65015
Code Behaviors & Features
Detect and mitigate CVE-2025-65015 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →