N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-61783

GHSA ID

GHSA-wv4w-6qv2-qqfg

EPSS Score

CWE

CWE-290

Published

10/9/2025

Updated

10/9/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-61783

CVE-2025-61783: Python Social Auth - Django has unsafe account association

Impact

Upon authentication, the user could be associated by e-mail even if the associate_by_email pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses.

Patches

https://github.com/python-social-auth/social-app-django/pull/803

Workarounds

Review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-61783

GHSA ID

GHSA-wv4w-6qv2-qqfg

EPSS Score

CWE

CWE-290

Published

10/9/2025

Updated

10/9/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
social-auth-app-django	pip	< 5.6.0	5.6.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the security advisory and the associated patch commit 10c80e2ebabeccd4e9c84ad0e16e1db74148ed4c clearly points to the create_user method within the DjangoUserMixin class in social_django/storage.py as the source of the vulnerability. The vulnerability description states that an account could be associated by email even when not explicitly configured, leading to potential account compromise. The patch directly addresses this by changing the behavior of the create_user function. Previously, when a IntegrityError was caught (which happens when trying to create a user that already exists), the code would attempt to find and link to that existing user. This is the unsafe association. The fix removes this behavior and instead raises an AuthAlreadyAssociated exception, forcing the authentication process to stop. Therefore, any runtime profile during an exploit of this vulnerability would show the DjangoUserMixin.create_user function being executed.

Vulnerable functions

DjangoUserMixin.create_user

social_django/storage.py

The vulnerability lies in the exception handling block of the `create_user` method. When a `IntegrityError` occurred during user creation (e.g., because a user with that email already exists), the original code would proceed to fetch and return the existing user based on the provided arguments, effectively associating the new social account with the pre-existing user account. This could lead to account takeover if an attacker registers on a third-party service with a victim's email address. The patch removes this logic and instead raises an `AuthAlreadyAssociated` exception, preventing the automatic association.

WAF Protection Rules

WAF Rule

### Imp**t Upon *ut**nti**tion, t** us*r *oul* ** *sso*i*t** *y *-m*il *v*n i* t** `*sso*i*t*_*y_*m*il` pip*lin* w*s not in*lu***. T*is *oul* l*** to ***ount *ompromis* w**n * t*ir*-p*rty *ut**nti**tion s*rvi** *o*s not v*li**t* provi*** *-m*il ***r

Reasoning

T** *n*lysis o* t** s**urity **visory *n* t** *sso*i*t** p*t** *ommit `****************************************` *l**rly points to t** `*r**t*_us*r` m*t*o* wit*in t** `*j*n*oUs*rMixin` *l*ss in `so*i*l_*j*n*o/stor***.py` *s t** sour** o* t** vuln*r**

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-61783: Python Social Auth - Django has unsafe account association

Impact

Patches

Workarounds

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI