Nixpkgs security tracker

Published

Permalink CVE-2026-44681

6.1 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

updated 2 weeks, 2 days ago by @LeSuisse Activity log

Created suggestion 2 weeks, 3 days ago
@LeSuisse ignored
15 packages
- python312Packages.oauthlib
- python313Packages.oauthlib
- python314Packages.oauthlib
- python312Packages.hawkauthlib
- python313Packages.hawkauthlib
- python314Packages.hawkauthlib
- python312Packages.aiohttp-oauthlib
- python313Packages.aiohttp-oauthlib
- python314Packages.aiohttp-oauthlib
- python312Packages.requests-oauthlib
- python313Packages.requests-oauthlib
- python314Packages.requests-oauthlib
- python312Packages.google-auth-oauthlib
- python314Packages.google-auth-oauthlib
- python313Packages.google-auth-oauthlib
2 weeks, 2 days ago
@LeSuisse accepted 2 weeks, 2 days ago
@LeSuisse published on GitHub 2 weeks, 2 days ago

Authlib: Open Redirect in Authlib OIDC Implicit/Hybrid Authorization

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1.

References

https://github.com/authlib/authlib/security/advisories/GHSA-r95x-qfjj-fjj2 x_refsource_CONFIRM

Affected products

authlib

==< 1.6.12
==>= 1.7.0, < 1.7.1

Matching in nixpkgs

pkgs.python312Packages.authlib

None

pkgs.python313Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

pkgs.python314Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

Ignored packages (15)

pkgs.python312Packages.oauthlib

None

pkgs.python313Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1

pkgs.python314Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1

pkgs.python312Packages.hawkauthlib

None

pkgs.python313Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python314Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python312Packages.aiohttp-oauthlib

None

pkgs.python313Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0

pkgs.python314Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0

pkgs.python312Packages.requests-oauthlib

None

pkgs.python313Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python314Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python312Packages.google-auth-oauthlib

None

pkgs.python313Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-unstable 1.3.1
- nixpkgs-unstable 1.3.1
- nixos-unstable-small 1.3.1

pkgs.python314Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-unstable 1.3.1
- nixpkgs-unstable 1.3.1
- nixos-unstable-small 1.3.1

Package maintainers

@flokli Florian Klink <flokli@flokli.de>

Published

Permalink CVE-2026-41425

5.4 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

updated 1 month, 2 weeks ago by @LeSuisse Activity log

Created suggestion 1 month, 2 weeks ago
@LeSuisse ignored
15 packages
- python312Packages.oauthlib
- python313Packages.oauthlib
- python314Packages.oauthlib
- python312Packages.hawkauthlib
- python313Packages.hawkauthlib
- python314Packages.hawkauthlib
- python312Packages.aiohttp-oauthlib
- python313Packages.aiohttp-oauthlib
- python314Packages.aiohttp-oauthlib
- python312Packages.requests-oauthlib
- python313Packages.requests-oauthlib
- python314Packages.requests-oauthlib
- python312Packages.google-auth-oauthlib
- python313Packages.google-auth-oauthlib
- python314Packages.google-auth-oauthlib
1 month, 2 weeks ago
@LeSuisse accepted 1 month, 2 weeks ago
@LeSuisse published on GitHub 1 month, 2 weeks ago

Authlib: Cross-site request forging when using cache

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11.

References

https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv x_refsource_CONFIRM

Affected products

authlib

==< 1.6.11

Matching in nixpkgs

pkgs.python312Packages.authlib

None

pkgs.python313Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-unstable 1.6.9
- nixpkgs-unstable 1.6.9
- nixos-unstable-small 1.6.9

pkgs.python314Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-unstable 1.6.9
- nixpkgs-unstable 1.6.9
- nixos-unstable-small 1.6.9

Ignored packages (15)

pkgs.python312Packages.oauthlib

None

pkgs.python313Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1

pkgs.python314Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1

pkgs.python312Packages.hawkauthlib

None

pkgs.python313Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python314Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python312Packages.aiohttp-oauthlib

None

pkgs.python313Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0

pkgs.python314Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0

pkgs.python312Packages.requests-oauthlib

None

pkgs.python313Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python314Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python312Packages.google-auth-oauthlib

None

pkgs.python313Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-unstable 1.2.4
- nixpkgs-unstable 1.2.4
- nixos-unstable-small 1.2.4

pkgs.python314Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-unstable 1.2.4
- nixpkgs-unstable 1.2.4
- nixos-unstable-small 1.2.4

Package maintainers

@flokli Florian Klink <flokli@flokli.de>

Untriaged

Permalink CVE-2026-28490

created 2 months, 4 weeks ago Activity log

Created suggestion 2 months, 4 weeks ago

Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Oracle

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm. Authlib registers RSA1_5 in its default algorithm registry without requiring explicit opt-in, and actively destroys the constant-time Bleichenbacher mitigation that the underlying cryptography library implements correctly. This issue has been patched in version 1.6.9.

References

https://github.com/authlib/authlib/security/advisories/GHSA-7432-952r-cw78 x_refsource_CONFIRM
https://github.com/authlib/authlib/commit/48b345f29f6c459f11c6a40162b6c0b742ef2e22 x_refsource_MISC
https://github.com/authlib/authlib/releases/tag/v1.6.9 x_refsource_MISC

Affected products

authlib

==< 1.6.9

Matching in nixpkgs

pkgs.python312Packages.authlib

None

pkgs.python313Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-unstable 1.6.9
- nixpkgs-unstable 1.6.9
- nixos-unstable-small 1.6.9

pkgs.python314Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-unstable 1.6.9
- nixpkgs-unstable 1.6.9
- nixos-unstable-small 1.6.9

pkgs.python312Packages.oauthlib

None

pkgs.python313Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1

pkgs.python314Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1

pkgs.python312Packages.hawkauthlib

None

pkgs.python313Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python314Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python312Packages.aiohttp-oauthlib

None

pkgs.python313Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0

pkgs.python314Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0

pkgs.python312Packages.requests-oauthlib

None

pkgs.python313Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python314Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python312Packages.google-auth-oauthlib

None

pkgs.python313Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-unstable 1.2.4
- nixpkgs-unstable 1.2.4
- nixos-unstable-small 1.2.4

pkgs.python314Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-unstable 1.2.4
- nixpkgs-unstable 1.2.4
- nixos-unstable-small 1.2.4

Package maintainers

@sumnerevans Sumner Evans <me@sumnerevans.com>
@flokli Florian Klink <flokli@flokli.de>
@sarahec Sarah Clark <seclark@nextquestion.net>
@terlar Terje Larsen <terlar@gmail.com>
@prikhi Pavan Rikhi <pavan.rikhi@gmail.com>

Untriaged

Permalink CVE-2026-27962

9.1 CRITICAL

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

created 2 months, 4 weeks ago Activity log

Created suggestion 2 months, 4 weeks ago

Authlib JWS JWK Header Injection: Signature Verification Bypass

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.

References

https://github.com/authlib/authlib/security/advisories/GHSA-wvwj-cvrp-7pv5 x_refsource_CONFIRM
https://github.com/authlib/authlib/commit/a5d4b2d4c9e46bfa11c82f85fdc2bcc0b50ae681 x_refsource_MISC
https://github.com/authlib/authlib/releases/tag/v1.6.9 x_refsource_MISC

Affected products

authlib

==< 1.6.9

Matching in nixpkgs

pkgs.python312Packages.authlib

None

pkgs.python313Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-unstable 1.6.9
- nixpkgs-unstable 1.6.9
- nixos-unstable-small 1.6.9

pkgs.python314Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-unstable 1.6.9
- nixpkgs-unstable 1.6.9
- nixos-unstable-small 1.6.9

pkgs.python312Packages.oauthlib

None

pkgs.python313Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1

pkgs.python314Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1

pkgs.python312Packages.hawkauthlib

None

pkgs.python313Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python314Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python312Packages.aiohttp-oauthlib

None

pkgs.python313Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0

pkgs.python314Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0

pkgs.python312Packages.requests-oauthlib

None

pkgs.python313Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python314Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python312Packages.google-auth-oauthlib

None

pkgs.python313Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-unstable 1.2.4
- nixpkgs-unstable 1.2.4
- nixos-unstable-small 1.2.4

pkgs.python314Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-unstable 1.2.4
- nixpkgs-unstable 1.2.4
- nixos-unstable-small 1.2.4

Package maintainers

@sumnerevans Sumner Evans <me@sumnerevans.com>
@flokli Florian Klink <flokli@flokli.de>
@sarahec Sarah Clark <seclark@nextquestion.net>
@terlar Terje Larsen <terlar@gmail.com>
@prikhi Pavan Rikhi <pavan.rikhi@gmail.com>

Untriaged

Permalink CVE-2026-28498

created 2 months, 4 weeks ago Activity log

Created suggestion 2 months, 4 weeks ago

Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic (_verify_hash) responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims exhibits a fail-open behavior when encountering an unsupported or unknown cryptographic algorithm. This flaw allows an attacker to bypass mandatory integrity protections by supplying a forged ID Token with a deliberately unrecognized alg header parameter. The library intercepts the unsupported state and silently returns True (validation passed), inherently violating fundamental cryptographic design principles and direct OIDC specifications. This issue has been patched in version 1.6.9.

References

https://github.com/authlib/authlib/security/advisories/GHSA-m344-f55w-2m6j x_refsource_CONFIRM
https://github.com/authlib/authlib/commit/b9bb2b25bf8b7e01512d847a95c1749646eaa72b x_refsource_MISC
https://github.com/authlib/authlib/releases/tag/v1.6.9 x_refsource_MISC

Affected products

authlib

==< 1.6.9

Matching in nixpkgs

pkgs.python312Packages.authlib

None

pkgs.python313Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-unstable 1.6.9
- nixpkgs-unstable 1.6.9
- nixos-unstable-small 1.6.9

pkgs.python314Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-unstable 1.6.9
- nixpkgs-unstable 1.6.9
- nixos-unstable-small 1.6.9

pkgs.python312Packages.oauthlib

None

pkgs.python313Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1

pkgs.python314Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1

pkgs.python312Packages.hawkauthlib

None

pkgs.python313Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python314Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python312Packages.aiohttp-oauthlib

None

pkgs.python313Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0

pkgs.python314Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0

pkgs.python312Packages.requests-oauthlib

None

pkgs.python313Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python314Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python312Packages.google-auth-oauthlib

None

pkgs.python313Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-unstable 1.2.4
- nixpkgs-unstable 1.2.4
- nixos-unstable-small 1.2.4

pkgs.python314Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-unstable 1.2.4
- nixpkgs-unstable 1.2.4
- nixos-unstable-small 1.2.4

Package maintainers

@sumnerevans Sumner Evans <me@sumnerevans.com>
@flokli Florian Klink <flokli@flokli.de>
@sarahec Sarah Clark <seclark@nextquestion.net>
@terlar Terje Larsen <terlar@gmail.com>
@prikhi Pavan Rikhi <pavan.rikhi@gmail.com>

Published

Permalink CVE-2026-28802

updated 3 months ago by @mweinelt Activity log

Created suggestion 3 months, 1 week ago
@mweinelt ignored
15 packages
- python314Packages.google-auth-oauthlib
- python313Packages.google-auth-oauthlib
- python312Packages.google-auth-oauthlib
- python314Packages.requests-oauthlib
- python313Packages.requests-oauthlib
- python312Packages.requests-oauthlib
- python314Packages.aiohttp-oauthlib
- python313Packages.aiohttp-oauthlib
- python312Packages.aiohttp-oauthlib
- python314Packages.hawkauthlib
- python313Packages.hawkauthlib
- python312Packages.hawkauthlib
- python314Packages.oauthlib
- python313Packages.oauthlib
- python312Packages.oauthlib
3 months ago
@mweinelt accepted 3 months ago
@mweinelt published on GitHub 3 months ago

Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification

Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.. This issue has been patched in version 1.6.7.

References

https://github.com/authlib/authlib/security/advisories/GHSA-7wc2-qxgw-g8gg x_refsource_CONFIRM
https://github.com/authlib/authlib/commit/a61c2acb807496e67f32051b5f1b1d5ccf8f0a75 x_refsource_MISC
https://github.com/authlib/authlib/commit/b87c32ed07b8ae7f805873e1c9cafd1016761df7 x_refsource_MISC

Affected products

authlib

==>= 1.6.5, < 1.6.7

Matching in nixpkgs

pkgs.python312Packages.authlib

None

pkgs.python313Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-unstable 1.6.6
- nixpkgs-unstable 1.6.6
- nixos-unstable-small 1.6.6

pkgs.python314Packages.authlib

Library for building OAuth and OpenID Connect servers

nixos-unstable 1.6.6
- nixpkgs-unstable 1.6.6
- nixos-unstable-small 1.6.6

Ignored packages (15)

pkgs.python312Packages.oauthlib

None

pkgs.python313Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1

pkgs.python314Packages.oauthlib

Generic, spec-compliant, thorough implementation of the OAuth request-signing logic

nixos-unstable 3.3.1
- nixpkgs-unstable 3.3.1
- nixos-unstable-small 3.3.1

pkgs.python312Packages.hawkauthlib

None

pkgs.python313Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python314Packages.hawkauthlib

Hawk Access Authentication protocol

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python312Packages.aiohttp-oauthlib

None

pkgs.python313Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0

pkgs.python314Packages.aiohttp-oauthlib

oauthlib integration for aiohttp clients

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0

pkgs.python312Packages.requests-oauthlib

None

pkgs.python313Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python314Packages.requests-oauthlib

OAuthlib authentication support for Requests

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python312Packages.google-auth-oauthlib

None

pkgs.python313Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-unstable 1.2.4
- nixpkgs-unstable 1.2.4
- nixos-unstable-small 1.2.4

pkgs.python314Packages.google-auth-oauthlib

Google Authentication Library: oauthlib integration

nixos-unstable 1.2.4
- nixpkgs-unstable 1.2.4
- nixos-unstable-small 1.2.4

Package maintainers

@flokli Florian Klink <flokli@flokli.de>

https://github.com/authlib/authlib/security/advisories/GHSA-7wc2-qxgw-g8gg
https://github.com/authlib/authlib/commit/a61c2acb807496e67f32051b5f1b1d5ccf8f0a75
https://github.com/authlib/authlib/commit/b87c32ed07b8ae7f805873e1c9cafd1016761df7

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.python312Packages.authlib

pkgs.python313Packages.authlib

pkgs.python314Packages.authlib

pkgs.python312Packages.oauthlib

pkgs.python313Packages.oauthlib

pkgs.python314Packages.oauthlib

pkgs.python312Packages.hawkauthlib

pkgs.python313Packages.hawkauthlib

pkgs.python314Packages.hawkauthlib

pkgs.python312Packages.aiohttp-oauthlib

pkgs.python313Packages.aiohttp-oauthlib

pkgs.python314Packages.aiohttp-oauthlib

pkgs.python312Packages.requests-oauthlib

pkgs.python313Packages.requests-oauthlib

pkgs.python314Packages.requests-oauthlib

pkgs.python312Packages.google-auth-oauthlib

pkgs.python313Packages.google-auth-oauthlib

pkgs.python314Packages.google-auth-oauthlib

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.python312Packages.authlib

pkgs.python313Packages.authlib

pkgs.python314Packages.authlib

pkgs.python312Packages.oauthlib

pkgs.python313Packages.oauthlib

pkgs.python314Packages.oauthlib

pkgs.python312Packages.hawkauthlib

pkgs.python313Packages.hawkauthlib

pkgs.python314Packages.hawkauthlib

pkgs.python312Packages.aiohttp-oauthlib

pkgs.python313Packages.aiohttp-oauthlib

pkgs.python314Packages.aiohttp-oauthlib

pkgs.python312Packages.requests-oauthlib

pkgs.python313Packages.requests-oauthlib

pkgs.python314Packages.requests-oauthlib

pkgs.python312Packages.google-auth-oauthlib

pkgs.python313Packages.google-auth-oauthlib

pkgs.python314Packages.google-auth-oauthlib

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.python312Packages.authlib

pkgs.python313Packages.authlib

pkgs.python314Packages.authlib

pkgs.python312Packages.oauthlib

pkgs.python313Packages.oauthlib

pkgs.python314Packages.oauthlib

pkgs.python312Packages.hawkauthlib

pkgs.python313Packages.hawkauthlib

pkgs.python314Packages.hawkauthlib

pkgs.python312Packages.aiohttp-oauthlib

pkgs.python313Packages.aiohttp-oauthlib

pkgs.python314Packages.aiohttp-oauthlib

pkgs.python312Packages.requests-oauthlib

pkgs.python313Packages.requests-oauthlib

pkgs.python314Packages.requests-oauthlib

pkgs.python312Packages.google-auth-oauthlib

pkgs.python313Packages.google-auth-oauthlib

pkgs.python314Packages.google-auth-oauthlib

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.python312Packages.authlib

pkgs.python313Packages.authlib

pkgs.python314Packages.authlib

pkgs.python312Packages.oauthlib

pkgs.python313Packages.oauthlib

pkgs.python314Packages.oauthlib

pkgs.python312Packages.hawkauthlib

pkgs.python313Packages.hawkauthlib

pkgs.python314Packages.hawkauthlib

pkgs.python312Packages.aiohttp-oauthlib