CVE-2025-65431
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-15

Last updated on: 2025-12-23

Assigner: MITRE

Description
An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-15
Last Modified
2025-12-23
Generated
2026-06-16
AI Q&A
2025-12-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-65431
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
allauth allauth to 65.13.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in django-allauth before version 65.13.0 involved the use of preferred_username as the identifier for third-party provider accounts (specifically Okta and NetIQ). Since preferred_username is mutable, it is insecure to use it for authorization decisions. This could allow unauthorized access or identity confusion. The fix was to switch to using the immutable sub claim as the identifier instead, improving security by preventing issues caused by mutable identifiers. [1]

Impact Analysis

This vulnerability can impact you by allowing potential unauthorized access or incorrect authorization decisions if preferred_username is changed, since it was used as the identifier for third-party accounts. This could lead to security risks such as account takeover or privilege escalation. The update to use the immutable sub claim helps prevent these risks by ensuring stable and secure identification of users. [1]

Detection Guidance

Detection involves checking if your django-allauth installation is before version 65.13.0 and if you are using Okta or NetIQ providers relying on preferred_username as the identifier. You can inspect your SocialAccount records to see if the uid field is set to preferred_username instead of sub. For example, you can query your database for SocialAccount entries and examine the uid and extra_data fields. Specific commands depend on your environment, but a Django shell command like `from allauth.socialaccount.models import SocialAccount; accounts = SocialAccount.objects.all(); print([(a.uid, a.extra_data.get('sub')) for a in accounts])` can help identify mismatches. Also, check your installed package version with `pip show django-allauth`. [1]

Mitigation Strategies

Upgrade django-allauth to version 65.13.0 or later to ensure the use of the immutable sub claim instead of preferred_username for third-party provider accounts. After upgrading, manually update existing SocialAccount.uid fields based on the sub value found in SocialAccount.extra_data to maintain correct linkage. Alternatively, if you accept the security risks, you can configure SocialApp.settings to set uid_field to preferred_username. Additionally, ensure that token invalidation on user deactivation is functioning properly as fixed in this release. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65431. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart