CVE-2025-68158 Overview
CVE-2025-68158 is a Cross-Site Request Forgery (CSRF) vulnerability in Authlib, a Python library used to build OAuth and OpenID Connect servers and clients. The flaw affects versions 1.0.0 through 1.6.5 and is fixed in version 1.6.6. When a cache backend is configured on the OAuth client registry, FrameworkIntegration.set_state_data stores the entire state blob keyed only by _state_{app}_{state}, with no binding to the initiating user session. The companion get_state_data method ignores the caller's session entirely. An attacker who can obtain a valid state value through their own authentication flow can force a victim to complete an OAuth callback bound to the attacker's identity.
Critical Impact
Successful exploitation lets an attacker link a victim's session to an attacker-controlled OAuth identity, leading to account takeover or unauthorized access to protected resources.
Affected Products
- Authlib versions 1.0.0 through 1.6.5
- Python applications using Authlib's FrameworkIntegration with a cache backend
- OAuth and OpenID Connect client integrations relying on cache-backed state storage
Discovery Timeline
- 2026-01-08 - CVE-2025-68158 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2025-68158
Vulnerability Analysis
The vulnerability is a CSRF weakness classified under [CWE-352]. The OAuth 2.0 state parameter is intended to bind an authorization request to the initiating user's session, providing protection against cross-site request forgery on the redirect URI. Authlib's FrameworkIntegration breaks this binding when a cache is configured on the OAuth client registry.
In the vulnerable code path, set_state_data writes the state blob to the cache under the key _state_{app}_{state}. Because the key derives only from the application name and the state value, any session can read or consume that entry. The get_state_data method does not consult the caller's session before returning the cached blob.
An attacker initiates their own authentication flow to obtain a valid state, then tricks a victim into visiting the corresponding callback URL. Authlib accepts the callback, retrieves the cached state, and completes the flow under the victim's session using the attacker's authorization code.
Root Cause
The root cause is missing session binding on cache-backed state storage. The cache key contains no per-session entropy or user-session identifier, so any party that possesses the state value can satisfy the validation check.
Attack Vector
Exploitation requires network access and user interaction, typically through a crafted link or embedded redirect. The attacker begins an OAuth flow, captures the state value, and delivers the callback URL to a logged-in victim of the relying party application.
# Patch excerpt from authlib/integrations/base_client/framework_integration.py
# Source: https://github.com/authlib/authlib/commit/2808378611dd6fb2532b189a9087877d8f0c0489
def get_state_data(self, session, state):
key = f"_state_{self.name}_{state}"
session_data = session.get(key)
if not session_data:
return None
if self.cache:
cached_value = self._get_cache_data(key)
else:
cached_value = session_data
if cached_value:
return cached_value.get("data")
The fix requires the state key to exist in the caller's session before the cache lookup proceeds. This re-establishes the session-to-state binding that the original implementation omitted.
Detection Methods for CVE-2025-68158
Indicators of Compromise
- OAuth callback requests where the originating session has no record of the supplied state value
- Multiple callback completions consuming the same state value across distinct user sessions
- Account linkage or identity-provider association events that do not correlate with a prior authorization request initiated by the same user
Detection Strategies
- Audit application logs for OAuth callback handlers that succeed without a matching pre-authorization entry in the user's server-side session store
- Compare the Referer and session cookie on /callback requests against the session that initiated the corresponding /authorize redirect
- Inventory Python dependencies and flag any deployments running Authlib >=1.0.0,<1.6.6 with a cache backend configured on the OAuth registry
Monitoring Recommendations
- Enable verbose logging on OAuth client integrations to capture state issuance and consumption events with session identifiers
- Alert on anomalous identity-provider link or login events tied to recently registered accounts
- Track Software Composition Analysis (SCA) findings for authlib:authlib package versions across CI/CD pipelines and runtime hosts
How to Mitigate CVE-2025-68158
Immediate Actions Required
- Upgrade Authlib to version 1.6.6 or later in all applications that use FrameworkIntegration with a cache backend
- Audit OAuth client registrations to identify any integration configured with a cache parameter on the registry
- Invalidate active sessions and require re-authentication after deploying the patched version
Patch Information
The issue is resolved in Authlib 1.6.6. The fix is implemented in commits 2808378 and 7974f45. Full details are available in the GitHub Security Advisory GHSA-fg6f-75jq-6523.
Workarounds
- Disable the cache backend on the OAuth client registry and fall back to session-only state storage until the upgrade is deployed
- Add an application-layer check that verifies the state value exists in the user's session before invoking Authlib's authorize_access_token
- Restrict callback endpoints with additional CSRF protections such as SameSite=Lax or Strict cookies on session identifiers
# Upgrade Authlib to the patched release
pip install --upgrade "authlib>=1.6.6"
# Verify installed version
python -c "import authlib; print(authlib.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

