CVE-2025-68158
Unknown Unknown - Not Provided
CSRF Vulnerability in Authlib OAuth State Management

Publication date: 2026-01-08

Last updated on: 2026-03-30

Assigner: GitHub, Inc.

Description
Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the caller’s session altogether. This issue has been patched in version 1.6.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-14
NVD
CVE-2025-68158
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
authlib authlib to 1.6.5 (inc)
authlib authlib 1.6.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68158 is a vulnerability in the Authlib Python library (versions 1.6.5 and prior) that affects the OAuth state/request-token storage mechanism. When caching is used, the OAuth state data is stored in a cache without being tied to the initiating user's session. This allows an attacker who obtains a valid OAuth state value through an attacker-initiated authentication flow to perform a Cross-Site Request Forgery (CSRF) attack. Specifically, the attacker can trick a logged-in user into making an OAuth callback request with the attacker's state, causing the OAuth callback to succeed and linking the attacker's OAuth identity to the victim's application account. This results in a 1-click account takeover. The root cause is that the state data retrieval ignores the user's session context, enabling token exchange for any bearer of the state value. The issue was patched in version 1.6.6 by binding the OAuth state to the user session and improving session and cache handling. [3, 1]

Impact Analysis

This vulnerability can lead to a 1-click account takeover via a Login CSRF attack. An attacker can initiate an OAuth flow to obtain a valid state value, then trick a logged-in victim into triggering the OAuth callback with the attacker's state and authorization code. Because the OAuth state is not tied to the victim's session, the OAuth callback proceeds, exchanging the attacker's authorization code and linking the attacker's OAuth identity to the victim's application account. This allows the attacker to permanently associate their SSO account with the victim's account, effectively taking over the victim's account without their knowledge. [3]

Detection Guidance

Detection of this vulnerability involves checking if your Authlib version is 1.6.5 or earlier and verifying whether the OAuth state/request-token storage is tied to the user session. Since the vulnerability arises from cache-backed state storage not being session-specific, you can detect it by inspecting the cache keys and session data for OAuth state values. Specifically, look for cache keys formatted as '_state_{app}_{state}' that are not linked to user sessions. Commands to detect this might include: 1. Checking the installed Authlib version: `pip show authlib` or `pip freeze | grep authlib` 2. Inspecting your cache backend (e.g., Redis, Memcached) for keys matching the pattern '_state_*' and verifying if they include session identifiers. For example, in Redis: `redis-cli KEYS '_state_*'` 3. Reviewing session storage to see if OAuth state data is stored without proper session binding. 4. Reviewing application logs for suspicious OAuth callback requests with state values that do not match the initiating session. However, no specific detection commands are provided in the resources. [3]

Mitigation Strategies

Immediate mitigation steps include upgrading Authlib to version 1.6.6 or later, where the vulnerability is patched by tying OAuth state data to the user session. If upgrading is not immediately possible, you should ensure that the OAuth state is stored in the user session even when caching is enabled, or modify the cache key to include a per-user secret such as a hashed session ID. This prevents cached state data from being valid across different user sessions, mitigating CSRF and account takeover risks. Additionally, review your OAuth implementation to confirm that state data retrieval validates the session context before proceeding with token exchange. Following OAuth RFC 6749 Section 10.12 recommendations for state parameter handling is advised. [1, 3]

Compliance Impact

This vulnerability enables a 1-click account takeover via Login CSRF by allowing attackers to link their OAuth identities to victims' application accounts without proper session binding. Such unauthorized account linking and potential data exposure could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on user authentication and data access. The flaw undermines secure session management and user identity verification, increasing the risk of unauthorized access to personal data, thereby negatively impacting compliance with these standards. The recommended fix to tie OAuth state to user sessions helps mitigate these risks and supports compliance efforts. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68158. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart