Here are some news items our team found interesting over the past week, which you might have missed.
- Authlib, a popular Python library for implementing OAuth and OpenID (remember that?) servers, has a pair of vulnerabilities (CVE-2025-61920, CVE-2025-59420; both CVSSv3=7.5) in its handling of JOSE and JWS tokens. CVE-2025-61920 is a recent disclosure which has renewed interest in CVE-2025-59420, disclosed earlier this year. These issues allow attackers to bypass certain security-relevant header chcecks, resulting in Denial of Service attacks and policy bypass. In some cases, this allows for privilege escalation. Patches for both are available starting in Authlib 1.6.5.
- Spring Framework has a vulnerability (CVE-2025-41254, CVSS=4.3) in its global and automatic anti-CSRF mechanisms. This vulnerability allows endpoints using the STOMP protocol over WebSockets to be vulnerable to CSRF attacks (CWE-352). Attackers can send STOMP messages that should be rejected, but are not, allowing impersonation of users. Many affected versions (5.3.0–5.3.45, 6.0.0–6.0.29, 6.1.0–6.1.23, 6.2.0–6.2.11), see the advisory for upgrade details.
Zero Research Updates. Subscribe today!
Python Authlib DoS and Escalation of Privileges
Authlib, a popular Python library for implementing OAuth and OpenID (remember that?) servers, has a pair of vulnerabilities (CVE-2025-61920, CVE-2025-59420; both CVSSv3=7.5) in it’s handling of JOSE and JWS tokens. CVE-2025-61920 is a recent disclosure which has renewed interest in CVE-2025-59420, disclosed earlier this year. These issues allow attackers to bypass certain security-relevant header chcecks, resulting in Denial of Service attacks and policy bypass. In some cases, this allows for privilege escalation. Patches for both are available starting in Authlib 1.6.5.
CVE-2025-61920 (oversized segments) describes a vulnerabiity in which Authlib accepts ubase64url header and signature segments without properly checking length. Since authlib decodes and parses the entire segment before rejecting it, an attacker-provided token whose header or signature decodes as a large data chunk – perhaps hundreds of megabytes – results in significant memory and CPU usage. Enough that it can crash or severely degrade the process (CWE-770). The advisory description notes observing single requests which produced gigabytes of memory use and many seconds of CPU time.
If you spot significant resource usage or a larger than normal failure rate in decoding segments, these could be indicators of adversarial behavior. This can be mitigated prior to upgrade by checking for reasonable header and signature lengths at your application edge (WAF, proxy, gateway, etc.), rejecting too-large requests before they hit the server. This is a wise control to implement in any case.
CVE-2025-59420 (unknown crit). RFC-7515 requires a verifier to reject tokens that list critical header parameters it does not understand. Authlib’s verifier accepted tokens that include unknown crit entries. In mixed verifier deployments an attacker can provide a token that would be rejected by strict verifiers but is accepted by vulnerable Authlib instances, ultimately enabling policy bypass or privilege escalation in federated systems (CWE-347 / CWE-285). 
Spring Framework CSRF for STOMP over WebSocket implementations
Spring Framework has a vulnerability (CVE-2025-41254, CVSS=4.3) in its global and automatic anti-CSRF mechanisms. This vulnerability allows endpoints using the STOMP protocol over WebSockets to be vulnerable to CSRF attacks (CVE-352). Attackers can send STOMP messages that should be rejected, but are not, allowing impersonation of users. Many affected versions (5.3.0–5.3.45, 6.0.0–6.0.29, 6.1.0–6.1.23, 6.2.0–6.2.11), see the advisory for upgrade details.
Fortunately, this configuration is not incredibly common, and it requires an attacker to bait a legitmate user in some way (as with all CSRF), which lowers the severity of this issue. Detecting attack is challenging, unless you have enough log detail to determine that CONNECT and SEND frames are occurring without a corresponding UI event.
If you have a STOMP-over-WebSocket endpoint in a Spring Framework app, make updating a high priority. Edge systems like WAFs and reverse proxies may be able to provide additional anti-CSRF controls that mitigate this issue.