CVE-2025-14546

Versions of the package fastapi-sso before 0.19.0 are vulnerable to Cross-site Request Forgery CSRF due to the improper validation of the OAuth state parameter during the authentication callback. While the getloginurl method allows for state generation, it does not persist the state or bind it to...

CVE-2025-14546

Versions of the package fastapi-sso before 0.19.0 are vulnerable to Cross-site Request Forgery CSRF due to the improper validation of the OAuth state parameter during the authentication callback. While the getloginurl method allows for state generation, it does not persist the state or bind it to...

CVE-2025-14546

CVE-2025-14546 affects fastapi-sso

FastAPI SSO 安全漏洞

FastAPI SSO is a FastAPI plugin from the individual developer Tomas Votava. A security vulnerability exists in FastAPI SSO versions prior to 0.19.0, which stems from improper validation of the OAuth status parameter and could lead to a cross-site request forgery attack...

PT-2025-52515

Name of the Vulnerable Software and Affected Versions FastAPI Users versions prior to 15.0.2 Description FastAPI Users is a system designed to add registration and authentication to FastAPI projects. A login Cross-Site Request Forgery CSRF exists because OAuth login state tokens are stateless and...

FastAPI Users 跨站请求伪造漏洞

FastAPI Users is a customizable user management interface from FastAPI Users open source. A cross-site request forgery vulnerability exists in FastAPI Users versions prior to 15.0.2, which stems from stateless OAuth login status tokens and missing correlation data, which could lead to login CSRF...

agent-lifecycle-toolkit (=0.2.1.10102025), claude-helpers (>=0.1.1 <=0.2.7) +36 more potentially affected by CVE-2025-14546 via fastapi-sso (>=0.10.0 <=0.18.0)

fastapi-sso PYPI version =0.10.0, =0.1.1, =1.0.0, =0.1.7, =2.5.43, =0.17.0, =1.0.0, =0.2.0, =2.13.3, =0.50.0, =0.5.0, =0.1.0, =0.0.1, =0.0.1, =0.2.0 and more Source cves: CVE-2025-14546 Source advisory: SNYK:PYTHON-FASTAPISSO-14386403...

Cross-site Request Forgery (CSRF)

Overview fastapi-sso is a FastAPI plugin to enable SSO to most common providers such as Facebook login, Google login and login via Microsoft Office 365 Account Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF due to the improper validation of the OAuth state...

CVE-2025-66454

Arcade MCP allows you to to create, deploy, and share MCP Servers. Prior to 1.5.4, the arcade-mcp HTTP server uses a hardcoded default worker secret "dev" that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can...

GHSA-G2JX-37X6-6438 arcade-mcp-server Has Default Hardcoded Worker Secret That Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints

Summary The arcade-mcp HTTP server uses a hardcoded default worker secret "dev" that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This...

my-fastapi-scaffold (>=0.1.0 <=0.4.0), platform-base-lib (>=0.1.0 <=0.1.6) potentially affected by unknown CVE via fastcrud (>=0.15.1 <=0.16.0)

fastcrud PYPI version =0.15.1, =0.1.0, =0.1.0, =0.1.6 Source cves: unknown CVE Source advisory: SNYK:PYTHON-FASTCRUD-14172730...

[SECURITY] Fedora 43 Update: python-fastapi-0.120.1-1.fc43

FastAPI is a modern, fast high-performance, web framework for building APIs with Python based on standard Python type hints. The key features are: =E2=80=A2 Fast: Very high performance, on par with NodeJS and Go thanks to Starlette and Pydantic. One of the fastest Python frameworks available...

[SECURITY] Fedora 43 Update: fastapi-cloud-cli-0.3.1-1.fc43

Deploy and manage FastAPI Cloud apps from the command line...

[SECURITY] Fedora 43 Update: fastapi-cli-0.0.14-1.fc43

FastAPI CLI is a command line program fastapi that you can use to serve your FastAPI app, manage your FastAPI project, and more...

Fedora 43 : fastapi-cli / fastapi-cloud-cli / gherkin / maturin / etc (2025-4154ea83d0)

The remote Fedora 43 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2025-4154ea83d0 advisory. uv / python-uv-build 0.9.5 https://github.com/astral-sh/uv/blob/0.9.5/CHANGELOG.md ---- ruff 0.14.2...

01os (>=0.0.1 <=0.0.14), 12factor-configclasses (>=0.2.1 <=0.2.6) +4440 more potentially affected by CVE-2025-62727 via starlette (>=0.10.1 <=0.49.0)

starlette PYPI version =0.10.1, =0.0.1, =0.2.1, =0.1.0, =0.3.6, =0.12.0, =0.4.2, =0.1.10, =0.0.1, =0.1.0, =0.1.3, =0.0.1, =0.1.5, =0.1.1, =0.1.9 and more Source cves: CVE-2025-62727 Source advisory: SNYK:PYTHON-STARLETTE-13733964...

aad-fastapi (>=1.0.0 <=1.1.2), aad-fastapi-dl37 (>=1.0.0 <=1.0.3) +266 more potentially affected by CVE-2025-62706 via authlib (>=0.10.0 <=1.6.4)

authlib PYPI version =0.10.0, =1.0.0, =1.0.0, =0.0.1, =1.0.2, =1.0.2, =1.2.0a20250730, =1.1.0, =1.2.0a20250730, =0.4.0, =0.1.0, =0.1.0a1, =1.2.0, =1.2.0a20250730, =1.2.0a20250730, =1.2.0a20250730, =1.2.0rc4 and more Source cves: CVE-2025-62706 Source advisory: OSV:GHSA-G7F3-828F-7H7M...

EUVD-2021-0080

Malware in sbrugna...

EUVD-2025-20307

Malicious code in bioql PyPI...

EUVD-2025-6983

Malicious code in bioql PyPI...