FastAPI Users 易受 1-click 账户接管攻击影响，在使用 FastAPI SSO 的应用中

The core issue lies in the stateless nature of the OAuth login state tokens. The generatestatetoken() function consistently uses an empty state_data dictionary, resulting in JWTs that only contain a fixed audience claim and an expiration timestamp. An attacker could potentially intercept or manipulate these tokens, impersonating a legitimate user and gaining unauthorized access to their account. This is particularly concerning in environments where OAuth is used for single sign-on (SSO) or federated authentication, as a compromised token could grant access to multiple applications and services. The lack of state data makes it difficult to correlate the token with the originating session, increasing the attack surface.

Applications built with FastAPI and utilizing the fastapi-users library for OAuth authentication are at risk. This includes web applications, APIs, and microservices that rely on OAuth for user authentication and authorization. Specifically, deployments using older versions of fastapi-users (<= 9.3.2) and those that haven't implemented robust token validation practices are particularly vulnerable.

• python / server:

    grep -r 'generate_state_token' /path/to/your/project/
    # Look for instances where state_data is an empty dictionary.

• python / supply-chain:

    import os
    import hashlib

    def check_fastapi_users_version():
        try:
            import fastapi_users
            version = fastapi_users.__version__
            if version <= '9.3.2':
                print(f"WARNING: fastapi-users version {version} is vulnerable.")
            else:
                print(f"fastapi-users version {version} is not vulnerable.")
        except ImportError:
            print("fastapi-users is not installed.")

    check_fastapi_users_version()

1. 2025-12-19Disclosure

   disclosure

1. 已保留2025-12-18
2. 发布日期2025-12-19
3. 修改日期2025-12-20
4. EPSS 更新日期2026-03-23

The primary mitigation is to upgrade to version 15.0.2 of fastapi-users or later. This version includes a fix that addresses the entropy deficiency in the state token generation process. If upgrading immediately is not feasible, consider implementing a temporary workaround by adding unique, per-request data to the statedata dictionary passed to generatestatetoken(). This could involve incorporating a random value or a session identifier. Additionally, review your OAuth configuration to ensure that the authorizeredirect_url is properly secured and that token validation is robust. After upgrading, confirm the fix by attempting to initiate an OAuth flow and verifying that the generated state token includes unique, per-request data.