Last Week in AppSec for 21. October 2025

This bulletin summarizes security issues: Authlib has two vulnerabilities (CVE-2025-61920 — oversized base64url segments causing severe memory/CPU exhaustion and DoS; CVE-2025-59420 — acceptance of unknown `crit` headers enabling policy bypass/possible privilege escalation), both fixed in Authlib 1.6.5; and Spring Framework has a CSRF bypass for STOMP-over-WebSocket endpoints (CVE-2025-41254) affecting several 5.x and 6.x versions, with upgrades and edge mitigations recommended.