CVE-2025-65430
BaseFortify
Publication date: 2025-12-15
Last updated on: 2025-12-15
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| django | django-allauth | 65.13.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in django-allauth before version 65.13.0 involved the Identity Provider (IdP) not properly invalidating access and refresh tokens when a user was marked as inactive (is_active=False). This meant that tokens issued while the user was active remained valid even after deactivation, potentially allowing continued access. The issue was fixed in version 65.13.0 by ensuring that tokens are now properly rejected once the user is inactive. [1]
How can this vulnerability impact me? :
This vulnerability could allow a user who has been deactivated (marked as inactive) to continue using previously issued access and refresh tokens to access the system. This could lead to unauthorized access to protected resources or services, undermining account deactivation and potentially exposing sensitive data or functionality to unauthorized users. [1]
What immediate steps should I take to mitigate this vulnerability?
Upgrade django-allauth to version 65.13.0 or later, as this release fixes the issue where marking a user as is_active=False did not invalidate existing access and refresh tokens. Additionally, review and update SocialAccount.uid fields if you use Okta or NetIQ providers due to changes in identifier usage. Consider enabling the new security features such as RP-Initiated Logout and the 'Trust this browser?' login feature if applicable. [1]