CVE-2025-65430
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-15

Last updated on: 2025-12-15

Assigner: MITRE

Description
An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-15
Last Modified
2025-12-15
Generated
2026-06-16
AI Q&A
2025-12-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-65430
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
django django-allauth 65.13.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in django-allauth before version 65.13.0 involved the Identity Provider (IdP) not properly invalidating access and refresh tokens when a user was marked as inactive (is_active=False). This meant that tokens issued while the user was active remained valid even after deactivation, potentially allowing continued access. The issue was fixed in version 65.13.0 by ensuring that tokens are now properly rejected once the user is inactive. [1]

Impact Analysis

This vulnerability could allow a user who has been deactivated (marked as inactive) to continue using previously issued access and refresh tokens to access the system. This could lead to unauthorized access to protected resources or services, undermining account deactivation and potentially exposing sensitive data or functionality to unauthorized users. [1]

Mitigation Strategies

Upgrade django-allauth to version 65.13.0 or later, as this release fixes the issue where marking a user as is_active=False did not invalidate existing access and refresh tokens. Additionally, review and update SocialAccount.uid fields if you use Okta or NetIQ providers due to changes in identifier usage. Consider enabling the new security features such as RP-Initiated Logout and the 'Trust this browser?' login feature if applicable. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65430. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart