CVE-2025-68158
CSRF Vulnerability in Authlib OAuth State Management
Publication date: 2026-01-08
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| authlib | authlib | to 1.6.5 (inc) |
| authlib | authlib | 1.6.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68158 is a vulnerability in the Authlib Python library (versions 1.6.5 and prior) that affects the OAuth state/request-token storage mechanism. When caching is used, the OAuth state data is stored in a cache without being tied to the initiating user's session. This allows an attacker who obtains a valid OAuth state value through an attacker-initiated authentication flow to perform a Cross-Site Request Forgery (CSRF) attack. Specifically, the attacker can trick a logged-in user into making an OAuth callback request with the attacker's state, causing the OAuth callback to succeed and linking the attacker's OAuth identity to the victim's application account. This results in a 1-click account takeover. The root cause is that the state data retrieval ignores the user's session context, enabling token exchange for any bearer of the state value. The issue was patched in version 1.6.6 by binding the OAuth state to the user session and improving session and cache handling. [3, 1]
How can this vulnerability impact me? :
This vulnerability can lead to a 1-click account takeover via a Login CSRF attack. An attacker can initiate an OAuth flow to obtain a valid state value, then trick a logged-in victim into triggering the OAuth callback with the attacker's state and authorization code. Because the OAuth state is not tied to the victim's session, the OAuth callback proceeds, exchanging the attacker's authorization code and linking the attacker's OAuth identity to the victim's application account. This allows the attacker to permanently associate their SSO account with the victim's account, effectively taking over the victim's account without their knowledge. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if your Authlib version is 1.6.5 or earlier and verifying whether the OAuth state/request-token storage is tied to the user session. Since the vulnerability arises from cache-backed state storage not being session-specific, you can detect it by inspecting the cache keys and session data for OAuth state values. Specifically, look for cache keys formatted as '_state_{app}_{state}' that are not linked to user sessions. Commands to detect this might include: 1. Checking the installed Authlib version: `pip show authlib` or `pip freeze | grep authlib` 2. Inspecting your cache backend (e.g., Redis, Memcached) for keys matching the pattern '_state_*' and verifying if they include session identifiers. For example, in Redis: `redis-cli KEYS '_state_*'` 3. Reviewing session storage to see if OAuth state data is stored without proper session binding. 4. Reviewing application logs for suspicious OAuth callback requests with state values that do not match the initiating session. However, no specific detection commands are provided in the resources. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Authlib to version 1.6.6 or later, where the vulnerability is patched by tying OAuth state data to the user session. If upgrading is not immediately possible, you should ensure that the OAuth state is stored in the user session even when caching is enabled, or modify the cache key to include a per-user secret such as a hashed session ID. This prevents cached state data from being valid across different user sessions, mitigating CSRF and account takeover risks. Additionally, review your OAuth implementation to confirm that state data retrieval validates the session context before proceeding with token exchange. Following OAuth RFC 6749 Section 10.12 recommendations for state parameter handling is advised. [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability enables a 1-click account takeover via Login CSRF by allowing attackers to link their OAuth identities to victims' application accounts without proper session binding. Such unauthorized account linking and potential data exposure could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on user authentication and data access. The flaw undermines secure session management and user identity verification, increasing the risk of unauthorized access to personal data, thereby negatively impacting compliance with these standards. The recommended fix to tie OAuth state to user sessions helps mitigate these risks and supports compliance efforts. [3]