CVE-2025-43856
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-11

Last updated on: 2025-07-15

Assigner: GitHub, Inc.

Description
immich is a high performance self-hosted photo and video management solution. Prior to 1.132.0, immich is vulnerable to account hijacking through oauth2, because the state parameter is not being checked. The oauth2 state parameter is similar to a csrf token, so when the user starts the login flow this unpredictable token is generated and somehow saved in the browser session and passed to the identity provider, which will return the state parameter when redirecting the user back to immich. Before the user is logged in that parameter needs to be verified to make sure the login was actively initiated by the user in this browser session. On it's own, this wouldn't be too bad, but when immich uses the /user-settings page as a redirect_uri, it will automatically link the accounts if the user was already logged in. This means that if someone has an immich instance with a public oauth provider (like google), an attacker can - for example - embed a hidden iframe in a webpage or even just send the victim a forged oauth login url with a code that logs the victim into the attackers oauth account and redirects back to immich and links the accounts. After this, the attacker can log into the victims account using their own oauth credentials. This vulnerability is fixed in 1.132.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-11
Last Modified
2025-07-15
Generated
2026-05-07
AI Q&A
2025-07-11
EPSS Evaluated
2026-05-05
NVD
CVE-2025-43856
EUVD
EUVD-2025-21169
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
immich immich-server 1.132.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-303 The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in immich (prior to version 1.132.0) involves account hijacking through the oauth2 login flow because the state parameter, which acts like a CSRF token, is not being checked. The state parameter should be verified to ensure the login was initiated by the user in the current browser session. However, immich uses the /user-settings page as a redirect URI, which automatically links accounts if the user is already logged in. An attacker can exploit this by sending a forged oauth login URL or embedding a hidden iframe that logs the victim into the attacker's oauth account and links it to the victim's immich account. This allows the attacker to later log into the victim's account using their own oauth credentials. The issue is fixed in immich version 1.132.0.


How can this vulnerability impact me? :

This vulnerability can lead to account hijacking, where an attacker can gain unauthorized access to a victim's immich account by linking their own oauth credentials to the victim's account. This compromises the victim's personal photo and video data managed by immich, potentially leading to data theft, privacy breaches, and unauthorized account control.


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade immich to version 1.132.0 or later, where the issue with the oauth2 state parameter not being checked is fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart