6.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-14546

CVE-2025-14546: FastAPI SSP is vulnerable to Cross-site Request Forgery (CSRF) through improper OAuth parameter validation

Versions of the package fastapi-sso before 0.19.0 are vulnerable to Cross-site Request Forgery (CSRF) due to the improper validation of the OAuth state parameter during the authentication callback. While the get_login_url method allows for state generation, it does not persist the state or bind it to the user's session. Consequently, the verify_and_process method accepts the state received in the query parameters without verifying it against a trusted local value. This allows a remote attacker to trick a victim into visiting a malicious callback URL, which can result in the attacker's account being linked to the victim's internal account.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-14546

CVE-2025-14546:

6.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
fastapi-sso	pip	< 0.19.0	0.19.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the security patch for CVE-2025-14546 in fastapi-sso clearly points to a CSRF vulnerability within the OAuth callback handling. The commit 6117d1a5ad498ba57d671e8a059ebe20db5abe02 reveals that the verify_and_process method in fastapi_sso/sso/base.py was modified to enforce state validation. Before the patch, the function would accept the state parameter from the URL query (request.query_params.get("state")) without any verification. This is the core of the vulnerability. The fix involves storing the generated state in a browser cookie (response.set_cookie("sso_state", state)) within the get_login_redirect function and then comparing this cookie value with the state parameter received in the callback within verify_and_process. The absence of this comparison in the vulnerable versions is what allows the CSRF attack. Therefore, the SSOBase.verify_and_process function is the primary vulnerable function that would be hit during exploitation.

Vulnerable functions

SSOBase.verify_and_process

fastapi_sso/sso/base.py

The `verify_and_process` method in the `SSOBase` class was vulnerable to Cross-Site Request Forgery (CSRF). It directly used the 'state' parameter from the request's query parameters without validating it against a stored, trusted value. This allowed an attacker to forge a request and bypass the protection that the 'state' parameter is supposed to provide, potentially linking their own external account to a victim's local account.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-14546: FastAPI SSP is vulnerable to Cross-site Request Forgery (CSRF) through improper OAuth parameter validation

CVE-2025-14546:

6.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

CVE-2025-14546: FastAPI SSP is vulnerable to Cross-site Request Forgery (CSRF) through improper OAuth parameter validation

Technical Details

6.3

6.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI