[GHSA-pq5p-34cr-23v9] Authlib is vulnerable to Denial of Service via Oversized JOSE Segments #6373
Conversation
|
Hi there @lepture! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
bot
changed the base branch from
main
to
Neiland85/advisory-improvement-6373
There was a problem hiding this comment.
Pull Request Overview
This pull request reformats the security advisory details for CVE-2025-61920, which addresses a Denial of Service vulnerability in Authlib's JOSE implementation. The changes improve readability by restructuring the markdown formatting in the details field while preserving all technical information.
Key Changes:
- Updated the
modifiedtimestamp to reflect the change - Reformatted the
detailsfield from inline markdown to a more structured, plain text format with clearer section breaks and consistent formatting
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
advisories/github-reviewed/2025/10/GHSA-pq5p-34cr-23v9/GHSA-pq5p-34cr-23v9.json
Show resolved
Hide resolved
|
Hi @Neiland85, I'm confused about the purpose of these changes to the advisory. The reference links, CVSS, and CWEs appear in their own sections of the GHSA outside of the description. Why should they be added to the description of the advisory when there are already fields for them in other places on the page? |
|
I think the description is fine the way is currently is and doesn't need additions of information that is present elsewhere on the GHSA page. Therefore, I'm closing the PR. |
Updates
Comments
This improvement submission refines the technical accuracy, proof-of-concept reproducibility, and defensive guidance for CVE-2025-61920.
The prior entry lacked quantitative data and explicit remediation guidance.
This update provides:
Verified test data on CPU/memory impact.
Safe reproducible PoC and regression coverage (test_jose_dos.py).
Explicit patched constants (MAX_HEADER_SEGMENT_BYTES, MAX_SIGNATURE_SEGMENT_BYTES).
Valid CWE mappings and mitigation practices (WAF-level filtering, throttling).
Enhanced readability aligned with GitHub’s Security Advisory format.
Supporting evidence:
Authlib commit: 867e3f87b072347a1ae9cf6983cc8bbf88447e5e
Regression tests in upstream repo
PoC script