CVE-2025-68158: Authlib has 1-click Account Takeover vulnerability
(updated )
I am writing to you from the Security Labs team at Snyk to report a security issue affecting Authlib, which we identified during a recent research project.
We have identified a vulnerability that can result in a 1-click Account Takeover in applications that use the Authlib library. (5.7 CVSS v3: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)
Description
Cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the caller’s session altogether. [1][2]
def _get_cache_data(self, key):
value = self.cache.get(key)
if not value:
return None
try:
return json.loads(value)
except (TypeError, ValueError):
return None
[snip]
def get_state_data(self, session, state):
key = f"_state_{self.name}_{state}"
if self.cache:
value = self._get_cache_data(key)
else:
value = session.get(key)
if value:
return value.get("data")
return None
authlib/integrations/base_client/framework_integration.py:12-41
Retrieval in authorize_access_token therefore succeeds for whichever browser presents that opaque value, and the token exchange proceeds with the attacker’s authorization code. [3]
def authorize_access_token(self, **kwargs):
"""Fetch access token in one step.
:return: A token dict.
"""
params = request.args.to_dict(flat=True)
state = params.get("oauth_token")
if not state:
raise OAuthError(description='Missing "oauth_token" parameter')
data = self.framework.get_state_data(session, state)
if not data:
raise OAuthError(description='Missing "request_token" in temporary data')
params["request_token"] = data["request_token"]
params.update(kwargs)
self.framework.clear_state_data(session, state)
token = self.fetch_access_token(**params)
self.token = token
return token
authlib/integrations/flask_client/apps.py:57-76
This opens up the avenue for Login CSRF for apps that use the cache-backed storage. Depending on the dependent app’s implementation (whether it somehow links accounts in the case of a login CSRF), this could lead to account takeover.
References
- github.com/advisories/GHSA-fg6f-75jq-6523
- github.com/authlib/authlib
- github.com/authlib/authlib/commit/2808378611dd6fb2532b189a9087877d8f0c0489
- github.com/authlib/authlib/commit/7974f45e4d7492ab5f527577677f2770ce423228
- github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523
- nvd.nist.gov/vuln/detail/CVE-2025-68158
Code Behaviors & Features
Detect and mitigate CVE-2025-68158 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →