Authlib 1.6.8

Direct Vulnerabilities

Known vulnerabilities in the Authlib package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Request Forgery (CSRF) authlib is a library in building OAuth and OpenID Connect servers. Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) in the Client integrations due to the lack of CSRF protection for cash parameters. An attacker can perform unauthorized actions on behalf of a user by tricking the victim into following a crafted authentication flow, which results in the attacker's account being linked to the victim's session. Note: Version 1.6.11 patches CSRF issue only in Starlette Client. Other integrations might still be vulnerable. How to fix Cross-site Request Forgery (CSRF)? Upgrade `authlib` to version 1.6.11 or higher.	[,1.6.11)
H Not Failing Securely ('Failing Open') authlib is a library in building OAuth and OpenID Connect servers. Affected versions of this package are vulnerable to Not Failing Securely ('Failing Open') via the `_verify_hash` function in `authlib/oidc/core/claims.py`. An attacker can substitute an access token or authorization code undetected by supplying an ID token with an unsupported `alg` header, causing `create_half_hash` to return `None` and the verification to incorrectly succeed. How to fix Not Failing Securely ('Failing Open')? Upgrade `authlib` to version 1.6.9 or higher.	[,1.6.9)
C Improper Verification of Cryptographic Signature authlib is a library in building OAuth and OpenID Connect servers. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the `JsonWebSignature._prepare_algorithm_key()` method in `authlib/jose/rfc7515/jws.py`. An attacker can bypass authentication and authorization by sending a JWT whose header contains an attacker-controlled `jwk` while the resolver returns `None`, causing the library to accept the forged token as valid and expose any embedded claims. How to fix Improper Verification of Cryptographic Signature? Upgrade `authlib` to version 1.6.9 or higher.	[,1.6.9)
H Timing Attack authlib is a library in building OAuth and OpenID Connect servers. Affected versions of this package are vulnerable to Timing Attack via the `unwrap` length check in `jwe_algs.py`. An attacker can recover the CEK and decrypt or forge JWE tokens by sending malformed RSA1_5 ciphertexts and observing the different `ValueError("Invalid "cek" length")` versus `InvalidTag` responses. How to fix Timing Attack? Upgrade `authlib` to version 1.6.9 or higher.	[,1.6.9)

Vulnerability

Vulnerable Version

Cross-site Request Forgery (CSRF)

authlib is a library in building OAuth and OpenID Connect servers.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) in the Client integrations due to the lack of CSRF protection for cash parameters. An attacker can perform unauthorized actions on behalf of a user by tricking the victim into following a crafted authentication flow, which results in the attacker's account being linked to the victim's session.

Note:

Version 1.6.11 patches CSRF issue only in Starlette Client. Other integrations might still be vulnerable.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade authlib to version 1.6.11 or higher.

[,1.6.11)

Not Failing Securely ('Failing Open')

authlib is a library in building OAuth and OpenID Connect servers.

Affected versions of this package are vulnerable to Not Failing Securely ('Failing Open') via the _verify_hash function in authlib/oidc/core/claims.py. An attacker can substitute an access token or authorization code undetected by supplying an ID token with an unsupported alg header, causing create_half_hash to return None and the verification to incorrectly succeed.

How to fix Not Failing Securely ('Failing Open')?

Upgrade authlib to version 1.6.9 or higher.

[,1.6.9)

Improper Verification of Cryptographic Signature

authlib is a library in building OAuth and OpenID Connect servers.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the JsonWebSignature._prepare_algorithm_key() method in authlib/jose/rfc7515/jws.py. An attacker can bypass authentication and authorization by sending a JWT whose header contains an attacker-controlled jwk while the resolver returns None, causing the library to accept the forged token as valid and expose any embedded claims.

How to fix Improper Verification of Cryptographic Signature?

Upgrade authlib to version 1.6.9 or higher.

[,1.6.9)

Timing Attack

authlib is a library in building OAuth and OpenID Connect servers.

Affected versions of this package are vulnerable to Timing Attack via the unwrap length check in jwe_algs.py. An attacker can recover the CEK and decrypt or forge JWE tokens by sending malformed RSA1_5 ciphertexts and observing the different ValueError("Invalid "cek" length") versus InvalidTag responses.

How to fix Timing Attack?

Upgrade authlib to version 1.6.9 or higher.

[,1.6.9)

Authlib@1.6.8

The ultimate Python library in building OAuth and OpenID Connect servers and clients.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically