CVE-2025-14546 – This CSRF vulnerability in fastapi-sso allows a... (How to Fix)

📋 TL;DR

This CSRF vulnerability in fastapi-sso allows attackers to link their OAuth accounts to victims' internal accounts by exploiting improper state parameter validation. Applications using fastapi-sso for OAuth authentication are affected. The vulnerability occurs because the state parameter isn't properly bound to user sessions during authentication callbacks.

💻 Affected Systems

Products:

fastapi-sso

Versions: All versions before 0.19.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using fastapi-sso for OAuth authentication with vulnerable versions.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains unauthorized access to victim's account by linking their malicious OAuth account, potentially leading to account takeover and data compromise.

🟠

Likely Case

Unauthorized account linking where attacker's external account gets associated with victim's internal account, requiring manual cleanup and causing user confusion.

🟢

If Mitigated

Proper state validation prevents unauthorized account linking, maintaining secure OAuth authentication flow.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires tricking victim into visiting malicious callback URL but doesn't require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.19.0

Vendor Advisory: https://github.com/tomasvotava/fastapi-sso/commit/6117d1a5ad498ba57d671e8a059ebe20db5abe02

Restart Required: Yes

Instructions:

1. Update fastapi-sso package to version 0.19.0 or later using pip install fastapi-sso>=0.19.0
2. Restart your FastAPI application
3. Verify the state parameter is now properly validated during OAuth callbacks

🔧 Temporary Workarounds

Implement custom state validation

all

Add custom state parameter validation by storing state in user session and verifying during callback

🧯 If You Can't Patch

Disable OAuth authentication via fastapi-sso until patched
Implement additional CSRF protection at application layer

🔍 How to Verify

Check if Vulnerable:

Check fastapi-sso version with pip show fastapi-sso and verify if version is below 0.19.0

Check Version:

pip show fastapi-sso | grep Version

Verify Fix Applied:

Verify fastapi-sso version is 0.19.0 or higher and test OAuth flow to ensure state parameter validation works

📡 Detection & Monitoring

Log Indicators:

Multiple OAuth authentication attempts from same user with different external accounts
Unexpected account linking events in authentication logs

Network Indicators:

Unusual OAuth callback patterns with mismatched state parameters

SIEM Query:

source="auth_logs" AND (event="oauth_callback" AND state_validation="failed")

📊 Metadata

CVE ID: CVE-2025-14546

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

CWE: CWE-285

EPSS Score: 0.12% exploit probability (31.6th percentile)

Published: December 19, 2025

Last Updated: December 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14546, you might also want to check these: