CVE-2025-14546
CSRF Vulnerability in fastapi-sso OAuth State Validation
Publication date: 2025-12-19
Last updated on: 2026-04-29
Assigner: Snyk
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tomasvotava | fastapi-sso | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-site Request Forgery (CSRF) issue in the fastapi-sso package versions before 0.19.0. It occurs because the OAuth state parameter, which is supposed to protect the authentication process, is generated but not properly validated or bound to the user's session. As a result, an attacker can trick a logged-in user into visiting a malicious callback URL containing the attacker's state and authorization code. Since the state is not verified against a trusted value, the attacker's SSO identity can be linked to the victim's internal account, leading to unauthorized account linking or takeover. [2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized account linking or takeover. An attacker can manipulate the OAuth callback by injecting their own state and authorization code, causing the victim's internal account to be linked with the attacker's SSO identity. This compromises confidentiality by allowing the attacker to gain access to the victim's account without proper authorization. The impact is high on confidentiality, with low impact on integrity and no impact on availability. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring OAuth callback requests to the fastapi-sso authentication endpoint for the presence of a 'state' parameter in the query string that is not validated against a stored or session-bound value. Specifically, look for callback requests where the 'state' parameter is accepted without matching a trusted local state value or cookie. Commands to detect suspicious activity could include capturing HTTP requests to the OAuth callback URL and inspecting the 'state' parameter. For example, using tcpdump or tshark to capture traffic on the relevant port and filtering for OAuth callback URLs, or using web server logs to search for callback requests with 'state' parameters. However, no specific commands are provided in the resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the fastapi-sso package to version 0.19.0 or later, where the vulnerability is fixed by enforcing strict validation of the OAuth2 'state' parameter. The fix involves setting the 'state' value as a cookie ('sso_state') during login and verifying that the 'state' parameter in the callback matches this cookie, rejecting requests where the state is missing or does not match. This prevents Cross-Site Request Forgery (CSRF) and unauthorized account linking attacks. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized account linking due to improper validation of the OAuth state parameter, which can lead to unauthorized access to user accounts and potentially expose sensitive personal data. This unauthorized access and potential data exposure could negatively impact compliance with data protection regulations such as GDPR and HIPAA, which require strict controls to protect user data and prevent unauthorized access. Therefore, organizations using vulnerable versions of fastapi-sso may face compliance risks if this vulnerability is exploited. [2, 3]