Authlib Denial-of-Service Vulnerability via Oversized JOSE Segments

A denial-of-service vulnerability has been identified in Authlib, a Python library for building OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib's JOSE implementation allowed unbounded JWS/JWT header and signature segments. This flaw enabled remote attackers to craft tokens with base64url-encoded headers or signatures that could exceed hundreds of megabytes. During the verification process, Authlib would decode and parse the entire input before rejecting it, leading to excessive CPU and memory usage. On a test host, verifying a 500 MB header consumed approximately 4 GB of RAM and 9 seconds of CPU time before failing, demonstrating the vulnerability's potential to exhaust server resources and disrupt service.

Impact

Exploitation of this vulnerability causes severe degradation of service performance by consuming large amounts of CPU and memory resources. This resource exhaustion can lead to a complete denial-of-service condition, causing the application or service to become unresponsive or unavailable.

Reproduction

The vulnerability can be reproduced by using the Authlib library version 1.6.4 or earlier. A token can be crafted with an oversized header or signature segment, which is then processed by Authlib's JOSE implementation. This can be done using a Python script that automates the token creation and verification process, simulating an attack by sending the malicious token to a server that uses Authlib for JWS/JWT verification.

Remediation

Users are advised to update Authlib to version 1.6.5 or later, where this vulnerability has been patched. The patched version includes size limitations that prevent denial-of-service exploitation by rejecting JWS/JWT inputs that exceed 256 KB for headers and signatures. For additional defense, consider implementing rate limits on verification endpoints and rejecting oversized JWS/JWT inputs at the proxy or web application firewall layer.