CVE-2025-62706 – CVE-2025-62706 is a denial-of-service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2025-62706?

CVE-2025-62706 has a CVSS score of 6.5 (MEDIUM). CVE-2025-62706 is a denial-of-service vulnerability in Authlib's JWE implementation where DEFLATE decompression lacks size limits. Attackers can send specially crafted tokens that cause excessive memory and CPU consumption when decrypted, potentially crashing affected services. This affects any system using Authlib versions before 1.6.5 for JWE token processing.

📋 TL;DR

CVE-2025-62706 is a denial-of-service vulnerability in Authlib's JWE implementation where DEFLATE decompression lacks size limits. Attackers can send specially crafted tokens that cause excessive memory and CPU consumption when decrypted, potentially crashing affected services. This affects any system using Authlib versions before 1.6.5 for JWE token processing.

💻 Affected Systems

Products:

Authlib

Versions: All versions prior to 1.6.5

Operating Systems: All platforms running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using Authlib's JWE functionality with zip=DEF parameter. Systems not using JWE or using other compression methods are not vulnerable.

📦 What is this software?

Authlib by Authlib

View all CVEs affecting Authlib →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to memory exhaustion and CPU saturation, potentially affecting multiple services in shared environments.

🟠

Likely Case

Service degradation or temporary outages for affected endpoints, requiring restarts and causing user disruption.

🟢

If Mitigated

Minimal impact with proper input validation and rate limiting; failed token processing with error logging.

🌐 Internet-Facing: HIGH - Attackers can exploit this remotely by sending malicious tokens to public endpoints.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could still exploit this, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to supply decryptable tokens to the target system. Attack complexity is moderate as it requires understanding of JWE token structure and compression.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.5

Vendor Advisory: https://github.com/authlib/authlib/security/advisories/GHSA-g7f3-828f-7h7m

Restart Required: No

Instructions:

1. Update Authlib to version 1.6.5 or later using pip: 'pip install --upgrade authlib>=1.6.5'. 2. Verify the update completed successfully. 3. No restart required as this is a library update.

🔧 Temporary Workarounds

Reject zip=DEF tokens

all

Configure application to reject or strip zip=DEF parameter from inbound JWEs at the application boundary.

Implement bounded decompression

all

Fork and modify Authlib to add size limits to DEFLATE decompression using decompressobj().decompress(data, MAX_SIZE).

Enforce token size limits

all

Implement strict maximum token sizes and fail fast on oversized inputs, combined with rate limiting.

🧯 If You Can't Patch

Implement WAF rules to block or limit JWE tokens with zip=DEF parameter
Deploy rate limiting and input validation at the application perimeter

🔍 How to Verify

Check if Vulnerable:

Check Authlib version: 'python -c "import authlib; print(authlib.__version__)"' and verify it's below 1.6.5.

Check Version:

python -c "import authlib; print(authlib.__version__)"

Verify Fix Applied:

Verify version is 1.6.5 or higher using the same command, and test JWE token processing with zip=DEF to ensure proper error handling.

📡 Detection & Monitoring

Log Indicators:

High memory usage spikes
Process crashes or restarts
Error logs related to JWE decompression failures
Unusually large token processing times

Network Indicators:

High volume of JWE tokens to authentication endpoints
Repeated token submission patterns

SIEM Query:

source=application_logs AND ("JWE" OR "zip=DEF") AND ("memory" OR "crash" OR "timeout")

📊 Metadata

CVE ID: CVE-2025-62706

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 0.07% exploit probability (22.1th percentile)

Published: October 22, 2025

Last Updated: November 3, 2025

🔗 References

https://github.com/authlib/authlib/commit/e0863d5129316b1790eee5f14cece32a03b8184d Patch
https://github.com/authlib/authlib/security/advisories/GHSA-g7f3-828f-7h7m Exploit,Mitigation,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62706, you might also want to check these: