→

CVE-2025-65431: django-allauth's Okta and NetIQ implementations used a mutable identifier for authorization decisions

An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-65431

CVE-2025-65431:

5.4

CVSS Score

3.1

-

CVSS Score

-

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
django-allauth	pip	< 65.13.0	65.13.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the django-allauth library's providers for Okta and NetIQ. Specifically, the extract_uid method in both the OktaProvider and NetIQProvider classes was using the preferred_username attribute from the identity provider's response as the unique identifier for a user's social account. The preferred_username is often configurable by the user and can be changed, making it a mutable identifier. An attacker could exploit this by changing their preferred_username to match that of a victim, potentially allowing them to take over the victim's account within the application. The patch addresses this by changing the extract_uid method to use the sub (subject) claim instead. The sub claim is a standard, immutable identifier in OpenID Connect and OAuth 2.0, which guarantees uniqueness and prevents such impersonation attacks. The vulnerable functions are allauth.socialaccount.providers.netiq.provider.NetIQProvider.extract_uid and allauth.socialaccount.providers.okta.provider.OktaProvider.extract_uid because they directly processed the mutable identifier.

Vulnerable functions

allauth.socialaccount.providers.netiq.provider.NetIQProvider.extract_uid

allauth/socialaccount/providers/netiq/provider.py

The function uses the 'preferred_username' field from the user data as the unique identifier (UID). This field can be mutable, meaning a user could potentially change it to impersonate another user, leading to an authentication bypass.

allauth.socialaccount.providers.okta.provider.OktaProvider.extract_uid

allauth/socialaccount/providers/okta/provider.py

The function uses the 'preferred_username' field from the user data as the unique identifier (UID). This field can be mutable, meaning a user could potentially change it to impersonate another user, leading to an authentication bypass.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.4