CVE-2025-68481
Login CSRF in FastAPI Users OAuth State Token Handling
Publication date: 2025-12-19
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fastapi-users_project | fastapi_users | to 15.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68481 is a vulnerability in the FastAPI Users library (before version 15.0.2) related to its OAuth Single Sign-On implementation. The OAuth login state tokens are stateless JWTs that only contain a fixed audience claim and expiration timestamp, without any per-request entropy or linkage to the user session that initiated the OAuth flow. Because of this, an attacker can initiate an OAuth flow, capture a valid state token, and trick a victim into visiting the OAuth callback URL with the attacker's state and authorization code. Since the state token is valid for about one hour and not tied to the victim's session, the victim's browser completes the OAuth flow under the attacker's credentials, resulting in a login Cross-Site Request Forgery (CSRF). This can lead to account takeover or the victim being logged into the attacker's account, depending on the app's logic. The root cause is improper authorization and insufficient CSRF protection in OAuth state handling. [1]
How can this vulnerability impact me? :
This vulnerability can lead to login CSRF attacks where an attacker tricks a victim into completing an OAuth login flow under the attacker's credentials. Depending on the application's user management logic, this can result in account takeover, where the attacker gains control over the victim's account, or the victim being logged into the attacker's account. The impact includes high confidentiality loss due to unauthorized access to user accounts, low integrity loss, and no availability impact. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring OAuth callback requests for suspicious state tokens that are not bound to user sessions. Specifically, look for OAuth callback URLs containing state tokens that are valid but reused across different sessions or clients. Since the vulnerable versions generate stateless JWT state tokens without session linkage, you can detect attempts by capturing requests to the /authorize and /callback endpoints and analyzing the state parameter for reuse or anomalies. Commands to assist detection could include using network traffic capture tools like tcpdump or Wireshark to filter HTTP requests to the OAuth endpoints, for example: 1. tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep '/callback' 2. Use web server logs to search for repeated or unusual state parameter values in OAuth callback URLs. However, no specific detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves upgrading the FastAPI Users library to version 15.0.2 or later, which includes a patch implementing a double-submit cookie mechanism to prevent OAuth login CSRF attacks. This fix generates a secure CSRF token during OAuth authorization initiation, stores it in a cookie with secure attributes, and embeds it in the OAuth state JWT. On callback, the server verifies that the CSRF token in the cookie matches the one in the state parameter, rejecting requests that fail this check. Additionally, ensure that the CSRF cookie is configured with secure flags (Secure, HttpOnly, SameSite=lax) and that your OAuth flow properly validates these tokens. If upgrading immediately is not possible, consider implementing similar CSRF protections by tying OAuth state tokens to user sessions or using server-side state storage to validate OAuth callbacks. [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to perform login CSRF leading to potential account takeover or unauthorized login, which can result in unauthorized access to user data. Such unauthorized access can violate data protection requirements under standards like GDPR and HIPAA, which mandate strict controls to protect user data confidentiality and prevent unauthorized access. Therefore, this vulnerability negatively impacts compliance with these regulations by exposing user accounts and sensitive information to compromise. [1, 3]