Skip to content

safety's own authlib dependency causes safety check failure #822

New issue
New issue
Open
Open
safety's own authlib dependency causes safety check failure#822
Labels
bugIndicates a problem that needs to be resolved.
@fmigneault

Description

@fmigneault
fmigneault
opened on Nov 10, 2025

Checklist

  • I agree to the terms within the Safety Code of Conduct.
  • I have searched existing issues to ensure this bug hasn't been reported before.

Safety version

Safety v3.6.2

Python version

Observed with Python 3.11, but should affect any version.

Operating System

Ubuntu 20.04 LTS

Bug description

Safety requires authlib:

safety/pyproject.toml

Lines 35 to 36 in 9df3a6f

dependencies = [
"Authlib>=1.2.0",

However, https://nvd.nist.gov/vuln/detail/CVE-2025-61920 has been reported, causing any authlib<1.6.5 to report a vulnerability.

Therefore, installing safety in an environment that already contains an older authlib (succeeding the minimum requirement >=1.2.0), such as retrieving it from a CI build cache, causes its own installation to be reported as vulnerable.

Steps to reproduce

  1. Preinstall authlib>1.2.0,<1.6.5.
  2. Install safety.
  3. Run safety check.

Command and output

+==============================================================================+
 VULNERABILITIES REPORTED 
+==============================================================================+

-> Vulnerability found in authlib version 1.6.1
   Vulnerability ID: 79756
   Affected spec: <1.6.4
   ADVISORY: Affected versions of the Authlib package are vulnerable
   to Authentication Bypass due to improper handling of critical header
   parameters in JSON Web Signature tokens. The
   authlib.jose.JsonWebSignature.deserialize_compact() method violates RFC
   7515 "must-understand" semantics by accepting tokens that declare unknown
   critical header parameters in the crit field instead of rejecting them as
   required by the specification. An attacker can exploit this by crafting
   signed tokens with critical headers that strict verifiers reject but
   Authlib accepts, enabling split-brain verification in mixed-language
   environments and potentially leading to authentication policy bypass,
   token replay attacks, or privilege escalation.
   CVE-2025-59420
   For more information about this vulnerability, visit
   https://data.safetycli.com/v/79756/97c
   To ignore this vulnerability, use PyUp vulnerability id 79756 in safety’s
   ignore command-line argument or add the ignore to your safety policy file.


+==============================================================================+
   REMEDIATIONS

  1 vulnerability was reported in 1 package. For detailed remediation & fix 
  recommendations, upgrade to a commercial license. 

+==============================================================================+

 Scan was completed using a safety policy file. 1 vulnerability was reported. 

+==============================================================================+

Additional context

Found via https://github.com/stac-extensions/mlm/actions/runs/19001985553/job/54270025239?pr=127

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugIndicates a problem that needs to be resolved.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions