CVE-2025-65430: django-allauth does not reject access tokens for inactive users
(updated )
An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected.
References
- allauth.org/news/2025/10/django-allauth-65.13.0-released
- codeberg.org/allauth/django-allauth
- github.com/advisories/GHSA-qhmc-3mvr-f2j4
- github.com/pennersr/django-allauth/commit/39f4a4ce9c891795b00914ca5ec32de72d5369c0
- github.com/pennersr/django-allauth/commit/c54edf947c5a1c8c4ff3cddb75c86000ecb2507d
- nvd.nist.gov/vuln/detail/CVE-2025-65430
Code Behaviors & Features
Detect and mitigate CVE-2025-65430 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →