Home / mailingsPDF  

[USN-8065-1] Authlib vulnerabilities

Posted on 26 February 2026
Ubuntu Security

==========================================================================Ubuntu Security Notice USN-8065-1
February 25, 2026

python-authlib vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in Authlib.

Software Description:
- python-authlib: Python library for building OAuth and OpenID Connect servers

Details:

Millie Solem discovered that Authlib did not properly restrict algorithm
selection during JWT verification, allowing HMAC verification with
asymmetric public keys when no algorithm was specified. A remote attacker
could possibly use this issue to bypass signature verification and forge
tokens, resulting in authentication bypass or privilege escalation.
(CVE-2024-37568)

Muhammad Noman Ilyas discovered that Authlib did not properly enforce
critical header parameter handling during JSON Web Signature verification,
leading to unknown critical parameters being incorrectly accepted. A remote
attacker could possibly use this issue to bypass security policies in mixed
deployments, resulting in authentication bypass, replay attacks, or
privilege escalation. (CVE-2025-59420)

Muhammad Noman Ilyas discovered that Authlib did not properly limit the
size of JSON Web Signature or JSON Web Token header and signature segments.
A remote attacker could possibly use this issue to cause excessive memory
or processor consumption, leading to a denial of service. (CVE-2025-61920)

Muhammad Noman Ilyas discovered that Authlib performed unbounded
decompression when processing certain compressed encrypted tokens. A remote
attacker could possibly use this issue to send a specially crafted token
that can be expanded to a large size during decompression, causing a denial
of service. (CVE-2025-62706)

It was discovered that Authlib did not properly bind cached state
information to the initiating user session during OAuth authentication
flows. A remote attacker could possibly use this issue to perform cross-
site request forgery attacks, resulting in unauthorized actions or
authentication bypass. This issue only affected Ubuntu 24.04 LTS.
(CVE-2025-68158)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
python-authlib-doc 1.3.0-1ubuntu0.1~esm1
Available with Ubuntu Pro
python3-authlib 1.3.0-1ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 22.04 LTS
python-authlib-doc 0.15.5-1ubuntu0.1~esm1
Available with Ubuntu Pro
python3-authlib 0.15.5-1ubuntu0.1~esm1
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8065-1
CVE-2024-37568, CVE-2025-59420, CVE-2025-61920, CVE-2025-62706,
CVE-2025-68158

--===============7790404199712233344==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

 

TOP

Mailings :

Exploits :