Platform
python
Component
authlib
Fixed in
1.0.1
1.6.6
CVE-2025-68158 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in Authlib, a Python library for OAuth 2.0 and OpenID Connect. This flaw allows attackers to potentially take over user accounts with a single click, bypassing standard authentication mechanisms. The vulnerability affects versions of Authlib up to 1.6.5, and a fix is available in version 1.6.6.
The core of this vulnerability lies in Authlib's cache-backed state/request-token storage. Critically, this storage isn't bound to the user's session. An attacker can exploit this by initiating an authentication flow, obtaining a valid state value, and then crafting a malicious request that leverages this state to impersonate the user. Successful exploitation results in an account takeover, granting the attacker full control over the affected user's account. This is particularly concerning for applications relying on Authlib for authentication, as it bypasses typical CSRF protections. The ease of exploitation – a 'one-click' takeover – significantly elevates the risk.
This vulnerability was publicly disclosed on 2026-01-08. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the potential for widespread impact make it a high-priority concern. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is anticipated given the vulnerability's nature and public disclosure.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-68158 is to upgrade to Authlib version 1.6.6 or later, which addresses the flawed state storage mechanism. If upgrading immediately is not feasible, consider implementing stricter CSRF protection measures at the application level. This could involve implementing double-submit cookies or other robust CSRF defenses. Additionally, carefully review and validate all authentication flows to ensure the state value is properly tied to the user's session. Monitor application logs for unusual authentication activity and investigate any suspicious requests involving state values.
Update the Authlib library to version 1.6.6 or higher. This corrects the CSRF vulnerability by tying the cache-backed state/request-token storage to the initiating user session.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68158 is a Cross-Site Request Forgery (CSRF) vulnerability in Authlib, affecting versions up to 1.6.5. It allows attackers to potentially take over user accounts via a 'one-click' attack.
You are affected if your application uses Authlib version 1.6.5 or earlier for OAuth 2.0 or OpenID Connect authentication.
Upgrade to Authlib version 1.6.6 or later to remediate the vulnerability. Implement additional CSRF protections if immediate upgrading is not possible.
While no active exploitation campaigns have been publicly confirmed, the ease of exploitation makes it a high-priority concern.
Refer to the Snyk Security Labs advisory for details: [https://snyk.io/vuln/SNYK-PYTHON-AUTHLIB-1042782](https://snyk.io/vuln/SNYK-PYTHON-AUTHLIB-1042782)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.