Authlib Cryptographic Padding Oracle Vulnerability in JWE RSA1_5 Algorithm

A cryptographic padding oracle vulnerability exists in the Authlib Python library, specifically in versions prior to 1.6.9. This vulnerability pertains to the JSON Web Encryption (JWE) RSA1_5 key management algorithm, which is registered by Authlib in its default algorithm registry without requiring explicit opt-in. The issue arises because Authlib actively undermines the constant-time Bleichenbacher mitigation that the underlying cryptography library implements correctly. As a result, an attacker can exploit this vulnerability to mount a Bleichenbacher attack, recovering encrypted keys and potentially decrypting JWE payloads or forging new JWE tokens.

Impact

Exploitation of this vulnerability creates a padding oracle that can be used to mount a Bleichenbacher attack, allowing an attacker to recover the Content Encryption Key (CEK) from JWE tokens encrypted with RSA1_5. Once the CEK is obtained, any intercepted JWE payload can be decrypted, and new valid JWE tokens can be forged using the recovered CEK.

Reproduction

The vulnerability can be reproduced by using Authlib version 1.6.8 in conjunction with the cryptography library version 46.0.5. After setting up a Python environment with these versions, JWE tokens can be crafted and sent to an endpoint that decrypts JWE tokens using the RSA1_5 algorithm. The response will reveal the existence of the padding oracle, as different error messages and HTTP response codes will be returned depending on whether the padding was valid or not. This behavior can be automated with a script that sends a stream of requests, mimicking the steps of a Bleichenbacher attack.

Remediation

Users are advised to update to Authlib version 1.6.9, where this vulnerability has been patched. In this version, the library no longer registers RSA1_5 in the default algorithm registry and restores the constant-time behavior required to prevent the padding oracle vulnerability.