CVE-2025-68158 – This CSRF vulnerability in Authlib allows attac... (How to Fix)

📋 TL;DR

This CSRF vulnerability in Authlib allows attackers to bypass Cross-Site Request Forgery protections in OAuth flows. Attackers can hijack authentication sessions by obtaining valid state tokens through their own authentication attempts. This affects all users of Authlib 1.6.5 and earlier who use cache-backed state storage.

💻 Affected Systems

Products:

Authlib

Versions: 1.6.5 and prior

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects configurations using cache-backed state/request-token storage. Memory-backed storage is not affected.

📦 What is this software?

Authlib by Authlib

View all CVEs affecting Authlib →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could hijack user authentication sessions, potentially gaining unauthorized access to user accounts and sensitive data through OAuth/OpenID Connect integrations.

🟠

Likely Case

Attackers could perform CSRF attacks against OAuth flows, potentially compromising user sessions in applications using vulnerable Authlib configurations.

🟢

If Mitigated

With proper session validation and CSRF protections in the application layer, impact would be limited to failed authentication attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires attacker to initiate their own authentication flow to obtain valid state tokens, which is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.6

Vendor Advisory: https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523

Restart Required: Yes

Instructions:

1. Update Authlib to version 1.6.6 or later using pip: pip install --upgrade authlib>=1.6.6
2. Restart all services using Authlib
3. Verify the update was successful

🔧 Temporary Workarounds

Disable cache-backed state storage

all

Switch to memory-backed state storage instead of cache-backed storage

Modify Authlib configuration to use memory storage instead of cache storage

🧯 If You Can't Patch

Implement additional CSRF protections at the application layer
Monitor authentication logs for suspicious OAuth state token usage patterns

🔍 How to Verify

Check if Vulnerable:

Check Authlib version: python -c "import authlib; print(authlib.__version__)"

Check Version:

python -c "import authlib; print(authlib.__version__)"

Verify Fix Applied:

Verify version is 1.6.6 or higher and check that state tokens are now properly tied to user sessions

📡 Detection & Monitoring

Log Indicators:

Multiple authentication attempts with same state token from different sessions
OAuth state validation failures

Network Indicators:

Unusual OAuth callback patterns
CSRF attempts against authentication endpoints

SIEM Query:

authlib OR oauth AND (state_token OR csrf) AND (failure OR multiple_sessions)

📊 Metadata

CVE ID: CVE-2025-68158

CVSS v3 Score: 5.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-352

EPSS Score: 0.06% exploit probability (17.5th percentile)

Published: January 8, 2026

Last Updated: January 22, 2026

🔗 References

https://github.com/authlib/authlib/commit/2808378611dd6fb2532b189a9087877d8f0c0489 Patch
https://github.com/authlib/authlib/commit/7974f45e4d7492ab5f527577677f2770ce423228 Patch
https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523 Exploit,Vendor Advisory
https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68158, you might also want to check these: