Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic (_verify_hash) responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims exhibits a fail-open behavior when encountering an unsupported or unknown cryptographic algorithm. This flaw allows an attacker to bypass mandatory integrity protections by supplying a forged ID Token with a deliberately unrecognized alg header parameter. The library intercepts the unsupported state and silently returns True (validation passed), inherently violating fundamental cryptographic design principles and direct OIDC specifications. This issue has been patched in version 1.6.9.

N/A

完整性检查值验证不恰当

Authlib 安全漏洞

Authlib是Authlib开源的一个构建 OAuth 和 OpenID Connect 服务器的终极 Python 库。 Authlib 1.6.9之前版本存在安全漏洞，该漏洞源于OpenID Connect ID令牌验证逻辑存在失败开放行为，可能导致攻击者通过提供伪造令牌绕过完整性保护。

N/A

N/A