CVE-2025-61783
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-09

Last updated on: 2025-10-15

Assigner: GitHub, Inc.

Description
Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the `associate_by_email` pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses. Version 5.6.0 contains a patch. As a workaround, review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-09
Last Modified
2025-10-15
Generated
2026-06-16
AI Q&A
2025-10-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61783
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
python_social_auth social-auth-app-django 3.1.0
python_social_auth social-app-django 5.6.0
python_social_auth social-app-django *
python_social_auth social-auth-core 3.2.0
python python 3.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-303 The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-61783 is a vulnerability in the python-social-auth/social-app-django library where, prior to version 5.6.0, users could be associated by email during social authentication even if the 'associate_by_email' pipeline was not enabled. This means that if a third-party authentication service does not validate email addresses or enforce unique emails, an attacker could log in as an existing user simply by providing the same email address. The root cause is that the system automatically associates social authentication attempts with existing user accounts based on email, bypassing expected security controls and allowing unauthorized access. [1, 2, 4, 6]

Impact Analysis

This vulnerability can lead to account compromise by allowing unauthorized users to log in as existing users without proper credentials, simply by using the same email address during social authentication. This can result in unauthorized access to user accounts, potentially exposing sensitive information or allowing malicious actions under another user's identity. The impact is moderate with a CVSS score of 6.3, and exploitation requires specific conditions such as a third-party authentication provider that does not validate emails properly. [2, 4, 6]

Detection Guidance

This vulnerability can be detected by testing whether social authentication allows login by email matching even when the 'associate_by_email' pipeline is disabled. One way to detect it is to create a normal user account with a specific email, then attempt to log in via a social authentication provider using the same email but different backend. If the login succeeds and links to the existing user account without proper validation, the system is vulnerable. Specific commands include using Django's createsuperuser command to create a user, then attempting social login with the same email. There are no explicit network or system commands provided in the resources, but reproducing the issue involves social authentication flows and checking user associations in the database. [4, 6]

Mitigation Strategies

Immediate mitigation steps include upgrading the python-social-auth/social-app-django package to version 5.6.0 or later, where the vulnerability is patched. If upgrading is not immediately possible, review and enforce strict email validation policies on the third-party authentication services to ensure emails are verified and unique, reducing the risk of exploitation. Additionally, be aware that the patch removes unsafe automatic user association on creation failure and requires manual restart of the authentication pipeline to enforce policies properly. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61783. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart