Platform
python
Component
fastapi-users
Fixed in
15.0.3
15.0.2
CVE-2025-68481 describes a vulnerability in the fastapi-users library where OAuth login state tokens are generated without sufficient entropy. This lack of per-request data linkage allows an attacker to potentially hijack user sessions during the OAuth flow. The vulnerability affects versions of fastapi-users up to 9.3.2 and is resolved in version 15.0.2.
The core issue lies in the stateless nature of the OAuth login state tokens. The generatestatetoken() function consistently uses an empty state_data dictionary, resulting in JWTs that only contain a fixed audience claim and an expiration timestamp. An attacker could potentially intercept or manipulate these tokens, impersonating a legitimate user and gaining unauthorized access to their account. This is particularly concerning in environments where OAuth is used for single sign-on (SSO) or federated authentication, as a compromised token could grant access to multiple applications and services. The lack of state data makes it difficult to correlate the token with the originating session, increasing the attack surface.
This vulnerability was publicly disclosed on 2025-12-19. There is currently no indication of active exploitation campaigns targeting this specific vulnerability. While no public proof-of-concept (PoC) code has been released, the lack of entropy in the state token makes it relatively straightforward to exploit. The vulnerability is not currently listed on the CISA KEV catalog, and its EPSS score is pending evaluation.
Exploit Status
EPSS
0.06% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to version 15.0.2 of fastapi-users or later. This version includes a fix that addresses the entropy deficiency in the state token generation process. If upgrading immediately is not feasible, consider implementing a temporary workaround by adding unique, per-request data to the statedata dictionary passed to generatestatetoken(). This could involve incorporating a random value or a session identifier. Additionally, review your OAuth configuration to ensure that the authorizeredirect_url is properly secured and that token validation is robust. After upgrading, confirm the fix by attempting to initiate an OAuth flow and verifying that the generated state token includes unique, per-request data.
Update the FastAPI Users library to version 15.0.2 or higher. This fixes the Cross-Site Request Forgery (CSRF) vulnerability in the OAuth login flow. The update mitigates the risk of an attacker taking over a user's account.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68481 is a medium severity vulnerability affecting FastAPI Users versions up to 9.3.2. It involves stateless OAuth login state tokens lacking entropy, potentially allowing session hijacking.
You are affected if you are using FastAPI Users version 9.3.2 or earlier and rely on OAuth authentication. Upgrade to version 15.0.2 to resolve the issue.
Upgrade to version 15.0.2 of the fastapi-users library. If immediate upgrade is not possible, implement a temporary workaround by adding unique per-request data to the state_data dictionary.
There is currently no indication of active exploitation campaigns targeting this specific vulnerability, but the lack of entropy makes exploitation relatively straightforward.
Refer to the official FastAPI Users repository and release notes for the latest information and advisory regarding CVE-2025-68481.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.