Plattform
python
Komponente
authlib
Behoben in
1.0.1
1.6.6
CVE-2025-68158 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in Authlib, a Python library for OAuth 2.0 and OpenID Connect. This flaw allows attackers to potentially take over user accounts with a single click, bypassing standard authentication mechanisms. The vulnerability affects versions of Authlib up to 1.6.5, and a fix is available in version 1.6.6.
The core of this vulnerability lies in Authlib's cache-backed state/request-token storage. Critically, this storage isn't bound to the user's session. An attacker can exploit this by initiating an authentication flow, obtaining a valid state value, and then crafting a malicious request that leverages this state to impersonate the user. Successful exploitation results in an account takeover, granting the attacker full control over the affected user's account. This is particularly concerning for applications relying on Authlib for authentication, as it bypasses typical CSRF protections. The ease of exploitation – a 'one-click' takeover – significantly elevates the risk.
This vulnerability was publicly disclosed on 2026-01-08. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the potential for widespread impact make it a high-priority concern. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is anticipated given the vulnerability's nature and public disclosure.
Applications utilizing Authlib for OAuth 2.0 or OpenID Connect authentication, particularly those relying solely on Authlib's built-in state management without additional CSRF protections, are at significant risk. This includes web applications, APIs, and microservices that integrate with Authlib for authentication purposes.
• python / server:
import hashlib
def check_authlib_version():
import authlib
version = authlib.__version__
if version <= '1.6.5':
print(f"Authlib version {version} is vulnerable to CVE-2025-68158. Upgrade to 1.6.6 or later.")
else:
print(f"Authlib version {version} is not vulnerable.")
check_authlib_version()• generic web: Use a web proxy or browser extension to inspect network traffic during authentication flows. Look for requests containing state parameters that are not properly validated or tied to the user's session.
disclosure
Exploit-Status
EPSS
0.03% (7% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-68158 is to upgrade to Authlib version 1.6.6 or later, which addresses the flawed state storage mechanism. If upgrading immediately is not feasible, consider implementing stricter CSRF protection measures at the application level. This could involve implementing double-submit cookies or other robust CSRF defenses. Additionally, carefully review and validate all authentication flows to ensure the state value is properly tied to the user's session. Monitor application logs for unusual authentication activity and investigate any suspicious requests involving state values.
Aktualisieren Sie die Authlib-Bibliothek auf Version 1.6.6 oder höher. Dies behebt die CSRF-Schwachstelle, indem der Cache-basierte State/Request-Token-Storage an die Sitzung des initiierenden Benutzers gebunden wird.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-68158 is a Cross-Site Request Forgery (CSRF) vulnerability in Authlib, affecting versions up to 1.6.5. It allows attackers to potentially take over user accounts via a 'one-click' attack.
You are affected if your application uses Authlib version 1.6.5 or earlier for OAuth 2.0 or OpenID Connect authentication.
Upgrade to Authlib version 1.6.6 or later to remediate the vulnerability. Implement additional CSRF protections if immediate upgrading is not possible.
While no active exploitation campaigns have been publicly confirmed, the ease of exploitation makes it a high-priority concern.
Refer to the Snyk Security Labs advisory for details: [https://snyk.io/vuln/SNYK-PYTHON-AUTHLIB-1042782](https://snyk.io/vuln/SNYK-PYTHON-AUTHLIB-1042782)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.