Listen to this Post
How the CVE Works
The vulnerability exists within Authlib’s JOSE implementation for JWS/JWT verification. A malicious actor can craft a token with an artificially large header or signature segment, encoded in base64url. During the verification process, Authlib decodes the entire input before performing any validation checks. A single token with a header segment measuring hundreds of megabytes will be fully decoded into memory and processed, consuming massive amounts of CPU time and RAM. This occurs because the library lacks early size checks on the decoded data, allowing an unauthenticated attacker to submit a request that exhausts server resources, leading to a denial of service.
Platform: Authlib
Version: <=1.6.3
Vulnerability: DoS
Severity: High
date: 2025-03-20
Prediction: 2025-04-10
What Undercode Say:
Simulating resource usage for a large token decode
python3 -c "
import base64, sys
large_data = 'A' (500 1024 1024)
encoded = base64.urlsafe_b64encode(large_data.encode())
print(f'Encoded size: {sys.getsizeof(encoded)} bytes')
"
Example of a basic size check to prevent the issue
MAX_SEGMENT_SIZE = 256 1024 256 KB
def safe_extract_segment(encoded_segment):
decoded = base64.urlsafe_b64decode(encoded_segment)
if len(decoded) > MAX_SEGMENT_SIZE:
raise ValueError("Segment too large")
return decoded
How Exploit:
Craft JWT with enormous base64url-encoded header.
Protection from this CVE
Apply upstream patch enforcing 256KB limits.
Impact:
Service downtime via resource exhaustion.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
