authlib joserfc up to 1.3.4/1.4.1 ExceededSizeError Message allocation of resources

Summaryinfo

A vulnerability was found in authlib joserfc up to 1.3.4/1.4.1. It has been rated as critical. The affected element is an unknown function of the component ExceededSizeError Message Handler. This manipulation causes allocation of resources. The identification of this vulnerability is CVE-2025-65015. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in authlib joserfc up to 1.3.4/1.4.1. It has been declared as critical. Affected by this vulnerability is an unknown function of the component ExceededSizeError Message Handler. The manipulation with an unknown input leads to a allocation of resources vulnerability. The CWE definition for the vulnerability is CWE-770. The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. As an impact it is known to affect availability. The summary by CVE is:

joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions from 1.3.3 to before 1.3.5 and from 1.4.0 to before 1.4.2, the ExceededSizeError exception messages are embedded with non-decoded JWT token parts and may cause Python logging to record an arbitrarily large, forged JWT payload. In situations where a misconfigured — or entirely absent — production-grade web server sits in front of a Python web application, an attacker may be able to send arbitrarily large bearer tokens in the HTTP request headers. When this occurs, Python logging or diagnostic tools (e.g., Sentry) may end up processing extremely large log messages containing the full JWT header during the joserfc.jwt.decode() operation. The same behavior also appears when validating claims and signature payload sizes, as the library raises joserfc.errors.ExceededSizeError() with the full payload embedded in the exception message. Since the payload is already fully loaded into memory at this stage, the library cannot prevent or reject it. This issue has been patched in versions 1.3.5 and 1.4.2.

It is possible to read the advisory at github.com. This vulnerability is known as CVE-2025-65015 since 11/13/2025. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1499 according to MITRE ATT&CK.

The vulnerability scanner Nessus provides a plugin with the ID 275773 (Linux Distros Unpatched Vulnerability : CVE-2025-65015), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 1.3.5 or 1.4.2 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 63932f169d924caffafa761af2122b82059017f7 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at Tenable (275773). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Vendor

• authlib

Name

• joserfc

Version

• 1.3.0
• 1.3.1
• 1.3.2
• 1.3.3
• 1.3.4
• 1.4.0
• 1.4.1

License

• open-source

Website

• Product: https://github.com/authlib/joserfc/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion