CVE-2025-14546

Published: Dec 19, 2025

Modified: Dec 19, 2025

PUBLISHED

CVSS v3.1

6.3

MEDIUM

Description

Versions of the package fastapi-sso before 0.19.0 are vulnerable to Cross-site Request Forgery (CSRF) due to the improper validation of the OAuth state parameter during the authentication callback. While the get_login_url method allows for state generation, it does not persist the state or bind it to the user's session. Consequently, the verify_and_process method accepts the state received in the query parameters without verifying it against a trusted local value. This allows a remote attacker to trick a victim into visiting a malicious callback URL, which can result in the attacker's account being linked to the victim's internal account.

Vendor	Product	Versions
n/a	fastapi-sso	affected `0 - < 0.19.0`

Weaknesses (CWE)

CWE-285

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N/E:P

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

References

https://security.snyk.io/vuln/SNYK-PYTHON-FASTAPISSO-14386403

https://github.com/tomasvotava/fastapi-sso/commit/6117d1a5ad498ba57d671e8a059ebe20db5abe02

https://github.com/tomasvotava/fastapi-sso/issues/266

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-14546

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References