13 matches found
Cross-Site Request Forgery (CSRF)
fastapiusers is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to stateless and predictable OAuth state tokens with no session binding or per-request entropy, which allows an attacker to initiate an OAuth flow, reuse a valid state token, and trick a victim into completing...
CVE-2025-68481
FastAPI Users allows users to quickly add a registration and authentication system to their FastAPI project. Prior to version 15.0.2, the OAuth login state tokens are completely stateless and carry no per-request entropy or any data that could link them to the session that initiated the OAuth flo...
CVE-2025-68481
FastAPI Users allows users to quickly add a registration and authentication system to their FastAPI project. Prior to version 15.0.2, the OAuth login state tokens are completely stateless and carry no per-request entropy or any data that could link them to the session that initiated the OAuth flo...
balify (=0.0.2), cognee (>=0.1.15 <=0.5.2.dev0) +44 more potentially affected by CVE-2025-68481 via fastapi-users (>=10.2.1 <=14.0.2)
fastapi-users PYPI version =10.2.1, =0.1.15, =0.1.2, =0.2.0, =0.1.0, =0.1.0, =0.1.0, =0.2.0, =0.2.1 - cognee-community-vector-adapter-redis =0.1.0 - cognee-community-vector-adapter-valkey =0.1.1 - cognee-community-vector-adapter-weaviate =0.1.0 and more Source cves: CVE-2025-68481 Source advisory...
GHSA-5J53-63W8-8625 FastAPI Users Vulnerable to 1-click Account Takeover in Apps Using FastAPI SSO
Description The OAuth login state tokens are completely stateless and carry no per-request entropy or any data that could link them to the session that initiated the OAuth flow. generatestatetoken is always called with an empty statedata dict, so the resulting JWT only contains the fixed audience...
Cross-site Request Forgery (CSRF)
Overview fastapi-users is a Ready-to-use and customizable users management for FastAPI Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the generatestatetoken function, which is called with an empty statedata dict, so the resulting JWT contains only the fixe...
EUVD-2025-204614
FastAPI Users allows users to quickly add a registration and authentication system to their FastAPI project. Prior to version 15.0.2, the OAuth login state tokens are completely stateless and carry no per-request entropy or any data that could link them to the session that initiated the OAuth flo...
CVE-2025-68481 FastAPI Users Vulnerable to 1-click Account Takeover in Apps Using FastAPI SSO
FastAPI Users allows users to quickly add a registration and authentication system to their FastAPI project. Prior to version 15.0.2, the OAuth login state tokens are completely stateless and carry no per-request entropy or any data that could link them to the session that initiated the OAuth flo...
CVE-2025-68481 FastAPI Users Vulnerable to 1-click Account Takeover in Apps Using FastAPI SSO
FastAPI Users allows users to quickly add a registration and authentication system to their FastAPI project. Prior to version 15.0.2, the OAuth login state tokens are completely stateless and carry no per-request entropy or any data that could link them to the session that initiated the OAuth flo...
CVE-2025-68481
CVE-2025-68481 affects FastAPI Users prior to version 15.0.2. The issue stems from stateless OAuth login state tokens: generate_state_token() is invoked with an empty state_data dict, producing a JWT with only a fixed audience and expiration. On callback, the state is only validated for signature...
CVE-2025-68481 FastAPI Users Vulnerable to 1-click Account Takeover in Apps Using FastAPI SSO
FastAPI Users allows users to quickly add a registration and authentication system to their FastAPI project. Prior to version 15.0.2, the OAuth login state tokens are completely stateless and carry no per-request entropy or any data that could link them to the session that initiated the OAuth flo...
FastAPI Users 跨站请求伪造漏洞
FastAPI Users is a customizable user management interface from FastAPI Users open source. A cross-site request forgery vulnerability exists in FastAPI Users versions prior to 15.0.2, which stems from stateless OAuth login status tokens and missing correlation data, which could lead to login CSRF...
PT-2025-52515
Name of the Vulnerable Software and Affected Versions FastAPI Users versions prior to 15.0.2 Description FastAPI Users is a system designed to add registration and authentication to FastAPI projects. A login Cross-Site Request Forgery CSRF exists because OAuth login state tokens are stateless and...