Plattform
python
Komponente
fastapi-users
Behoben in
15.0.3
15.0.2
CVE-2025-68481 describes a vulnerability in the fastapi-users library where OAuth login state tokens are generated without sufficient entropy. This lack of per-request data linkage allows an attacker to potentially hijack user sessions during the OAuth flow. The vulnerability affects versions of fastapi-users up to 9.3.2 and is resolved in version 15.0.2.
The core issue lies in the stateless nature of the OAuth login state tokens. The generatestatetoken() function consistently uses an empty state_data dictionary, resulting in JWTs that only contain a fixed audience claim and an expiration timestamp. An attacker could potentially intercept or manipulate these tokens, impersonating a legitimate user and gaining unauthorized access to their account. This is particularly concerning in environments where OAuth is used for single sign-on (SSO) or federated authentication, as a compromised token could grant access to multiple applications and services. The lack of state data makes it difficult to correlate the token with the originating session, increasing the attack surface.
This vulnerability was publicly disclosed on 2025-12-19. There is currently no indication of active exploitation campaigns targeting this specific vulnerability. While no public proof-of-concept (PoC) code has been released, the lack of entropy in the state token makes it relatively straightforward to exploit. The vulnerability is not currently listed on the CISA KEV catalog, and its EPSS score is pending evaluation.
Applications built with FastAPI and utilizing the fastapi-users library for OAuth authentication are at risk. This includes web applications, APIs, and microservices that rely on OAuth for user authentication and authorization. Specifically, deployments using older versions of fastapi-users (<= 9.3.2) and those that haven't implemented robust token validation practices are particularly vulnerable.
• python / server:
grep -r 'generate_state_token' /path/to/your/project/
# Look for instances where state_data is an empty dictionary.• python / supply-chain:
import os
import hashlib
def check_fastapi_users_version():
try:
import fastapi_users
version = fastapi_users.__version__
if version <= '9.3.2':
print(f"WARNING: fastapi-users version {version} is vulnerable.")
else:
print(f"fastapi-users version {version} is not vulnerable.")
except ImportError:
print("fastapi-users is not installed.")
check_fastapi_users_version()disclosure
Exploit-Status
EPSS
0.06% (17% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade to version 15.0.2 of fastapi-users or later. This version includes a fix that addresses the entropy deficiency in the state token generation process. If upgrading immediately is not feasible, consider implementing a temporary workaround by adding unique, per-request data to the statedata dictionary passed to generatestatetoken(). This could involve incorporating a random value or a session identifier. Additionally, review your OAuth configuration to ensure that the authorizeredirect_url is properly secured and that token validation is robust. After upgrading, confirm the fix by attempting to initiate an OAuth flow and verifying that the generated state token includes unique, per-request data.
Aktualisieren Sie die Bibliothek FastAPI Users auf Version 15.0.2 oder höher. Dies behebt die Cross-Site Request Forgery (CSRF)-Schwachstelle im OAuth-Login-Fluss. Das Update mildert das Risiko, dass ein Angreifer die Kontrolle über ein Benutzerkonto übernimmt.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-68481 is a medium severity vulnerability affecting FastAPI Users versions up to 9.3.2. It involves stateless OAuth login state tokens lacking entropy, potentially allowing session hijacking.
You are affected if you are using FastAPI Users version 9.3.2 or earlier and rely on OAuth authentication. Upgrade to version 15.0.2 to resolve the issue.
Upgrade to version 15.0.2 of the fastapi-users library. If immediate upgrade is not possible, implement a temporary workaround by adding unique per-request data to the state_data dictionary.
There is currently no indication of active exploitation campaigns targeting this specific vulnerability, but the lack of entropy makes exploitation relatively straightforward.
Refer to the official FastAPI Users repository and release notes for the latest information and advisory regarding CVE-2025-68481.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.