CVE-2025-65430 – This vulnerability in django-allauth allows use... (How to Fix)

📋 TL;DR

This vulnerability in django-allauth allows users whose accounts have been deactivated (is_active=False) to continue using previously issued access and refresh tokens. This affects any Django application using django-allauth for authentication with third-party identity providers (IdPs) like Google, Facebook, or GitHub.

💻 Affected Systems

Products:

django-allauth

Versions: All versions before 65.13.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects configurations using third-party identity providers (IdPs) through django-allauth. Standard Django authentication is not affected.

📦 What is this software?

Allauth by Allauth

View all CVEs affecting Allauth →

⚠️ Risk & Real-World Impact

🔴

Worst Case

A malicious user whose account was disabled for security reasons could maintain persistent access to the application using existing tokens, potentially accessing sensitive data or performing unauthorized actions.

🟠

Likely Case

Former employees or users whose accounts were deactivated could unintentionally or intentionally continue accessing the application using old tokens until those tokens expire naturally.

🟢

If Mitigated

With proper session management and short token lifetimes, the window of opportunity is limited, but some unauthorized access could still occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires having valid tokens from before account deactivation. No special tools or techniques needed beyond normal API usage.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 65.13.0

Vendor Advisory: https://allauth.org/news/2025/10/django-allauth-65.13.0-released/

Restart Required: Yes

Instructions:

1. Update django-allauth: pip install django-allauth==65.13.0
2. Restart your Django application
3. Verify the update took effect

🔧 Temporary Workarounds

Manual Token Revocation

all

Manually revoke all existing tokens for deactivated users through your IdP's admin interface

Reduce Token Lifetimes

all

Configure shorter token expiration times to limit the window of vulnerability

🧯 If You Can't Patch

Implement manual monitoring and revocation of tokens for deactivated users
Implement additional application-level checks for user.is_active status on all authenticated endpoints

🔍 How to Verify

Check if Vulnerable:

Check your django-allauth version: pip show django-allauth | grep Version

Check Version:

pip show django-allauth | grep Version

Verify Fix Applied:

After updating, test by deactivating a test user account and verifying existing tokens no longer work

📡 Detection & Monitoring

Log Indicators:

Successful authentication events from users with is_active=False status
API calls from deactivated user accounts

Network Indicators:

OAuth token usage from deactivated accounts

SIEM Query:

source="django" AND (user.is_active=false AND auth_success=true)

📊 Metadata

CVE ID: CVE-2025-65430

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-613

EPSS Score: 0.03% exploit probability (9th percentile)

Published: December 15, 2025

Last Updated: January 20, 2026

🔗 References

https://allauth.org/news/2025/10/django-allauth-65.13.0-released/ Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65430, you might also want to check these: