5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-65430

CVE-2025-65430: django-allauth does not reject access tokens for inactive users

An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-65430

CVE-2025-65430:

5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
django-allauth	pip	< 65.13.0	65.13.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the failure of django-allauth to consistently check the is_active status of a user account during different stages of the OAuth/OIDC token lifecycle. The analysis of the patches reveals three key areas where this check was missing:

Device Authorization Grant: The poll_device_code function did not verify the user's status before issuing tokens, allowing a deactivated user to complete the flow.
Access Token Validation: The RequestValidator.validate_bearer_token method failed to check if the user owning the token was active, permitting access to resources with a token belonging to a deactivated user.
Refresh Token Validation: The RequestValidator.validate_refresh_token method allowed a deactivated user to obtain new access tokens using a refresh token.

The root cause is an insufficient session invalidation mechanism. Deactivating a user in the system did not automatically invalidate the authentication tokens (access and refresh) that had been previously issued to them. The provided patches fix this by adding explicit user.is_active checks at each of these critical validation points, ensuring that tokens belonging to inactive users are rejected.

Vulnerable functions

poll_device_code

allauth/idp/oidc/internal/oauthlib/device_codes.py

The function `poll_device_code` is part of the device authorization grant flow. It was vulnerable because it did not check if the user associated with the device code was still active before completing the authorization process. An attacker could use a device code to obtain an access token even if the user's account had been deactivated after the device authorization process was initiated. The patch adds a check to ensure the user is active.

RequestValidator.validate_bearer_token

allauth/idp/oidc/internal/oauthlib/request_validator.py

The `validate_bearer_token` method is responsible for validating access tokens. The original implementation only checked for the existence of the token but failed to verify if the associated user was still active. This allowed an access token to be used to access protected resources even after the user account was deactivated. The patch introduces a check for `instance.user.is_active`.

RequestValidator.validate_refresh_token

allauth/idp/oidc/internal/oauthlib/request_validator.py

The `validate_refresh_token` method is used to validate refresh tokens when a client requests a new access token. The vulnerability existed because this method did not check if the user associated with the refresh token was still active. This would allow a deactivated user to continue refreshing their access tokens indefinitely. The patch adds a check for `token.user.is_active` to prevent this.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-65430: django-allauth does not reject access tokens for inactive users

CVE-2025-65430:

5.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

5.4

5.4

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2025-65430: django-allauth does not reject access tokens for inactive users

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI