CVE-2025-61783
BaseFortify
Publication date: 2025-10-09
Last updated on: 2025-10-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python_social_auth | social-auth-app-django | 3.1.0 |
| python_social_auth | social-app-django | 5.6.0 |
| python_social_auth | social-app-django | * |
| python_social_auth | social-auth-core | 3.2.0 |
| python | python | 3.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-303 | The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-61783 is a vulnerability in the python-social-auth/social-app-django library where, prior to version 5.6.0, users could be associated by email during social authentication even if the 'associate_by_email' pipeline was not enabled. This means that if a third-party authentication service does not validate email addresses or enforce unique emails, an attacker could log in as an existing user simply by providing the same email address. The root cause is that the system automatically associates social authentication attempts with existing user accounts based on email, bypassing expected security controls and allowing unauthorized access. [1, 2, 4, 6]
How can this vulnerability impact me? :
This vulnerability can lead to account compromise by allowing unauthorized users to log in as existing users without proper credentials, simply by using the same email address during social authentication. This can result in unauthorized access to user accounts, potentially exposing sensitive information or allowing malicious actions under another user's identity. The impact is moderate with a CVSS score of 6.3, and exploitation requires specific conditions such as a third-party authentication provider that does not validate emails properly. [2, 4, 6]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing whether social authentication allows login by email matching even when the 'associate_by_email' pipeline is disabled. One way to detect it is to create a normal user account with a specific email, then attempt to log in via a social authentication provider using the same email but different backend. If the login succeeds and links to the existing user account without proper validation, the system is vulnerable. Specific commands include using Django's createsuperuser command to create a user, then attempting social login with the same email. There are no explicit network or system commands provided in the resources, but reproducing the issue involves social authentication flows and checking user associations in the database. [4, 6]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the python-social-auth/social-app-django package to version 5.6.0 or later, where the vulnerability is patched. If upgrading is not immediately possible, review and enforce strict email validation policies on the third-party authentication services to ensure emails are verified and unique, reducing the risk of exploitation. Additionally, be aware that the patch removes unsafe automatic user association on creation failure and requires manual restart of the authentication pipeline to enforce policies properly. [2, 3]