Nixpkgs security tracker
Activity log
- Created suggestion
Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic (_verify_hash) responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims exhibits a fail-open behavior when encountering an unsupported or unknown cryptographic algorithm. This flaw allows an attacker to bypass mandatory integrity protections by supplying a forged ID Token with a deliberately unrecognized alg header parameter. The library intercepts the unsupported state and silently returns True (validation passed), inherently violating fundamental cryptographic design principles and direct OIDC specifications. This issue has been patched in version 1.6.9.
References
-
https://github.com/authlib/authlib/security/advisories/GHSA-m344-f55w-2m6j x_refsource_CONFIRM
-
https://github.com/authlib/authlib/releases/tag/v1.6.9 x_refsource_MISC
Affected products
- ==< 1.6.9
Matching in nixpkgs
pkgs.python312Packages.authlib
Library for building OAuth and OpenID Connect servers
pkgs.python313Packages.authlib
Library for building OAuth and OpenID Connect servers
pkgs.python314Packages.authlib
Library for building OAuth and OpenID Connect servers
pkgs.python312Packages.oauthlib
Generic, spec-compliant, thorough implementation of the OAuth request-signing logic
pkgs.python313Packages.oauthlib
Generic, spec-compliant, thorough implementation of the OAuth request-signing logic
pkgs.python314Packages.oauthlib
Generic, spec-compliant, thorough implementation of the OAuth request-signing logic
pkgs.python312Packages.hawkauthlib
Hawk Access Authentication protocol
pkgs.python313Packages.hawkauthlib
Hawk Access Authentication protocol
pkgs.python314Packages.hawkauthlib
Hawk Access Authentication protocol
pkgs.python312Packages.aiohttp-oauthlib
oauthlib integration for aiohttp clients
pkgs.python313Packages.aiohttp-oauthlib
oauthlib integration for aiohttp clients
pkgs.python314Packages.aiohttp-oauthlib
oauthlib integration for aiohttp clients
pkgs.python312Packages.requests-oauthlib
OAuthlib authentication support for Requests
pkgs.python313Packages.requests-oauthlib
OAuthlib authentication support for Requests
pkgs.python314Packages.requests-oauthlib
OAuthlib authentication support for Requests
pkgs.python312Packages.google-auth-oauthlib
Google Authentication Library: oauthlib integration
pkgs.python313Packages.google-auth-oauthlib
Google Authentication Library: oauthlib integration
pkgs.python314Packages.google-auth-oauthlib
Google Authentication Library: oauthlib integration
Package maintainers
-
@sumnerevans Sumner Evans <me@sumnerevans.com>
-
@flokli Florian Klink <flokli@flokli.de>
-
@terlar Terje Larsen <terlar@gmail.com>
-
@prikhi Pavan Rikhi <pavan.rikhi@gmail.com>
-
@sarahec Sarah Clark <seclark@nextquestion.net>