Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68158

CVE-2025-68158: Authlib Python Library CSRF Vulnerability

CVE-2025-68158 is a CSRF flaw in Authlib Python library affecting OAuth and OpenID Connect servers. Attackers can exploit cache-backed state storage. This post covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-68158 Overview

CVE-2025-68158 is a Cross-Site Request Forgery (CSRF) vulnerability in Authlib, a Python library used to build OAuth and OpenID Connect servers and clients. The flaw affects versions 1.0.0 through 1.6.5 and is fixed in version 1.6.6. When a cache backend is configured on the OAuth client registry, FrameworkIntegration.set_state_data stores the entire state blob keyed only by _state_{app}_{state}, with no binding to the initiating user session. The companion get_state_data method ignores the caller's session entirely. An attacker who can obtain a valid state value through their own authentication flow can force a victim to complete an OAuth callback bound to the attacker's identity.

Critical Impact

Successful exploitation lets an attacker link a victim's session to an attacker-controlled OAuth identity, leading to account takeover or unauthorized access to protected resources.

Affected Products

  • Authlib versions 1.0.0 through 1.6.5
  • Python applications using Authlib's FrameworkIntegration with a cache backend
  • OAuth and OpenID Connect client integrations relying on cache-backed state storage

Discovery Timeline

  • 2026-01-08 - CVE-2025-68158 published to NVD
  • 2026-03-30 - Last updated in NVD database

Technical Details for CVE-2025-68158

Vulnerability Analysis

The vulnerability is a CSRF weakness classified under [CWE-352]. The OAuth 2.0 state parameter is intended to bind an authorization request to the initiating user's session, providing protection against cross-site request forgery on the redirect URI. Authlib's FrameworkIntegration breaks this binding when a cache is configured on the OAuth client registry.

In the vulnerable code path, set_state_data writes the state blob to the cache under the key _state_{app}_{state}. Because the key derives only from the application name and the state value, any session can read or consume that entry. The get_state_data method does not consult the caller's session before returning the cached blob.

An attacker initiates their own authentication flow to obtain a valid state, then tricks a victim into visiting the corresponding callback URL. Authlib accepts the callback, retrieves the cached state, and completes the flow under the victim's session using the attacker's authorization code.

Root Cause

The root cause is missing session binding on cache-backed state storage. The cache key contains no per-session entropy or user-session identifier, so any party that possesses the state value can satisfy the validation check.

Attack Vector

Exploitation requires network access and user interaction, typically through a crafted link or embedded redirect. The attacker begins an OAuth flow, captures the state value, and delivers the callback URL to a logged-in victim of the relying party application.

python
# Patch excerpt from authlib/integrations/base_client/framework_integration.py
# Source: https://github.com/authlib/authlib/commit/2808378611dd6fb2532b189a9087877d8f0c0489

def get_state_data(self, session, state):
    key = f"_state_{self.name}_{state}"
    session_data = session.get(key)
    if not session_data:
        return None
    if self.cache:
        cached_value = self._get_cache_data(key)
    else:
        cached_value = session_data
    if cached_value:
        return cached_value.get("data")

The fix requires the state key to exist in the caller's session before the cache lookup proceeds. This re-establishes the session-to-state binding that the original implementation omitted.

Detection Methods for CVE-2025-68158

Indicators of Compromise

  • OAuth callback requests where the originating session has no record of the supplied state value
  • Multiple callback completions consuming the same state value across distinct user sessions
  • Account linkage or identity-provider association events that do not correlate with a prior authorization request initiated by the same user

Detection Strategies

  • Audit application logs for OAuth callback handlers that succeed without a matching pre-authorization entry in the user's server-side session store
  • Compare the Referer and session cookie on /callback requests against the session that initiated the corresponding /authorize redirect
  • Inventory Python dependencies and flag any deployments running Authlib >=1.0.0,<1.6.6 with a cache backend configured on the OAuth registry

Monitoring Recommendations

  • Enable verbose logging on OAuth client integrations to capture state issuance and consumption events with session identifiers
  • Alert on anomalous identity-provider link or login events tied to recently registered accounts
  • Track Software Composition Analysis (SCA) findings for authlib:authlib package versions across CI/CD pipelines and runtime hosts

How to Mitigate CVE-2025-68158

Immediate Actions Required

  • Upgrade Authlib to version 1.6.6 or later in all applications that use FrameworkIntegration with a cache backend
  • Audit OAuth client registrations to identify any integration configured with a cache parameter on the registry
  • Invalidate active sessions and require re-authentication after deploying the patched version

Patch Information

The issue is resolved in Authlib 1.6.6. The fix is implemented in commits 2808378 and 7974f45. Full details are available in the GitHub Security Advisory GHSA-fg6f-75jq-6523.

Workarounds

  • Disable the cache backend on the OAuth client registry and fall back to session-only state storage until the upgrade is deployed
  • Add an application-layer check that verifies the state value exists in the user's session before invoking Authlib's authorize_access_token
  • Restrict callback endpoints with additional CSRF protections such as SameSite=Lax or Strict cookies on session identifiers
bash
# Upgrade Authlib to the patched release
pip install --upgrade "authlib>=1.6.6"

# Verify installed version
python -c "import authlib; print(authlib.__version__)"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.