{"ecosystem":"pypi","package":"oauthlib","version":null,"bugs":[{"id":4482,"ecosystem":"pypi","package_name":"oauthlib","affected_version":null,"fixed_version":"2e40b412c844ecc4673c3fa3f72181f228bdbacd","bug_id":"osv:PYSEC-2022-269","title":"PYSEC-2022-269: advisory","description":"OAuthLib is an implementation of the OAuth request-signing logic for Python 3.6+. In OAuthLib versions 3.1.1 until 3.2.1, an attacker providing malicious redirect uri can cause denial of service. An attacker can also leverage usage of `uri_validate` functions depending where it is used. OAuthLib applications using OAuth2.0 provider support or use directly `uri_validate` are affected by this issue. Version 3.2.1 contains a patch. There are no known workarounds.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/oauthlib/oauthlib/blob/2b8a44855a51ad5a5b0c348a08c2564a2e197ea2/oauthlib/uri_validate.py","labels":["CVE-2022-36087","GHSA-3pgj-pg6c-r5p7"],"created_at":"2026-04-26T03:01:00.931779+00:00","updated_at":"2026-04-26T03:01:00.931779+00:00"},{"id":4481,"ecosystem":"pypi","package_name":"oauthlib","affected_version":"3.1.1","fixed_version":"3.2.2","bug_id":"osv:GHSA-3pgj-pg6c-r5p7","title":"OAuthLib vulnerable to DoS when attacker provides malicious IPV6 URI","description":"### Impact\n- Attacker providing malicious redirect uri can cause DoS to oauthlib's web application.\n- Attacker can also leverage usage of `uri_validate` functions depending where it is used.\n\n_What kind of vulnerability is it? Who is impacted?_\n\nOauthlib applications using OAuth2.0 provider support or use directly `uri_validate` function.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nIssue fixed in 3.2.2 release.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nThe `redirect_uri` can be verified in web toolkit (i.e `bottle-oauthlib`, `django-oauth-toolkit`, ...) before oauthlib is called. A sample check if `:` is present to reject the request can prevent the DoS, assuming no port or IPv6 is fundamentally required.\n\n### References\nAttack Vector:\n- Attacker providing malicious redirect uri:\nhttps://github.com/oauthlib/oauthlib/blob/d4bafd9f1d0eba3766e933b1ac598cbbf37b8914/oauthlib/oauth2/rfc6749/grant_types/base.py#L232\n- Vulnerable `uri_validate` functions:\nhttps://github.com/oauthlib/oauthlib/blob/2b8a44855a51ad5a5b0c348a08c2564a2e197ea2/oauthlib/uri_validate.py\n\n### PoC\n```python\nis_absolute_uri(\"http://[:::::::::::::::::::::::::::::::::::::::]/path\")\n```\n\n### Acknowledgement\nSpecial thanks to Sebastian Chnelik - PyUp.io","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/oauthlib/oauthlib/security/advisories/GHSA-3pgj-pg6c-r5p7","labels":["CVE-2022-36087","PYSEC-2022-269"],"created_at":"2026-04-26T03:01:00.929147+00:00","updated_at":"2026-04-26T03:01:00.929147+00:00"}],"total":2,"_cache":"miss"}