5.9

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-68481

CVE-2025-68481: FastAPI Users Vulnerable to 1-click Account Takeover in Apps Using FastAPI SSO

Description

The OAuth login state tokens are completely stateless and carry no per-request entropy or any data that could link them to the session that initiated the OAuth flow. generate_state_token() is always called with an empty state_data dict, so the resulting JWT only contains the fixed audience claim plus an expiration timestamp. [1]

        state_data: dict[str, str] = {}
        state = generate_state_token(state_data, state_secret)
        authorization_url = await oauth_client.get_authorization_url(
            authorize_redirect_url,
            state,
            scopes,
        )

fastapi_users/router/oauth.py:65-71

On callback, the library merely checks that the JWT verifies under state_secret and is unexpired; there is no attempt to match the state value to the browser that initiated the OAuth request, no correlation cookie, and no server-side cache. [2]

        try:
            decode_jwt(state, state_secret, [STATE_TOKEN_AUDIENCE])
        except jwt.DecodeError:
            raise HTTPException(
                status_code=status.HTTP_400_BAD_REQUEST,
                detail=ErrorCode.ACCESS_TOKEN_DECODE_ERROR,
            )
        except jwt.ExpiredSignatureError:
            raise HTTPException(
                status_code=status.HTTP_400_BAD_REQUEST,
                detail=ErrorCode.ACCESS_TOKEN_ALREADY_EXPIRED,
            )

fastapi_users/router/oauth.py:130-141

Any attacker can hit /authorize, capture the server-generated state, finish the upstream OAuth flow with their own provider account, and then trick a victim into loading .../callback?code=<attacker_code>&state=<attacker_state>. Because the state JWT is valid for any client for ~1 hour, the victim’s browser will complete the flow. This leads to login CSRF. Depending on the app’s logic, the login CSRF can lead to an account takeover of the victim account or to the victim user getting logged in to the attacker's account.

[1] https://github.com/fastapi-users/fastapi-users/blob/bcee8c9b884de31decb5d799aead3974a0b5b158/fastapi_users/router/oauth.py#L57

[2]
https://github.com/fastapi-users/fastapi-users/blob/bcee8c9b884de31decb5d799aead3974a0b5b158/fastapi_users/router/oauth.py#L111

Proof of Concept

Let’s think of an app - AwesomeFastAPIApp. Let’s assume that the AwesomeFastAPIApp has internal logic that uses a UserManager different from the default BaseUserManager. With this manager, when an already logged-in user performs a callback request, the newly provided SSO identity gets linked to the already existing user that made the request.

Then, an attacker can get account takeover inside the app by performing the following actions:

1. They start an SSO OAuth flow, but stop it right before making the callback call to AwesomeFastAPIApp;
2. The attacker tricks a logged-in user (via phishing, a drive-by attack, etc.) to perform a GET request with the attacker's state value and grant code to the AwesomeFastAPIApp callback. Because the library doesn’t check whether the state token is linked to the session performing the callback, the callback is processed, the grant code is sent to the provider, and the account linking takes place.

After the GET request is performed, the attacker's SSO account is linked with the victim's AwesomeFastAPIApp account permanently.

Suggested Fix

Make the state a value tied to the session of the user that initiated the OAuth flow, as recommended by the official RFC. [3]

[3] https://www.rfc-editor.org/rfc/rfc6749#section-10.12

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-68481

CVE-2025-68481:

5.9

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
fastapi-users	pip	< 15.0.2	15.0.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Cross-Site Request Forgery (CSRF) in the OAuth flow of fastapi-users. The root cause is the use of a stateless state parameter in the OAuth 2.0 authorization process. The state parameter, implemented as a JWT, did not contain any per-session or per-request data to link it to the browser session that initiated the login flow.

The analysis of the patch commit 7cf413cd766b9cb0ab323ce424ddab2c0d235932 reveals that the authorize functions in both get_oauth_router and get_oauth_associate_router were modified to generate a CSRF token. This token is included in the state JWT and also sent to the client as a secure, HTTP-only cookie (a 'double-submit cookie').

Consequently, the corresponding callback functions were updated to validate the state parameter by comparing the CSRF token from the JWT with the one received in the cookie. Before the patch, these callback functions only validated the JWT's signature and expiration, leaving them open to CSRF. An attacker could initiate an OAuth flow, obtain a valid state token, and then trick a victim into using that token to link the attacker's OAuth identity to the victim's account or log the victim into the attacker's account.

The vulnerable functions are the inner authorize and callback functions defined within get_oauth_router and get_oauth_associate_router, as they were responsible for the insecure handling of the OAuth state.

Vulnerable functions

get_oauth_router.<locals>.authorize

fastapi_users/router/oauth.py

The `authorize` function within `get_oauth_router` was vulnerable because it generated a stateless OAuth `state` token. This token did not contain any per-request information (like a CSRF token) that could tie the OAuth flow to the user's session. An attacker could initiate an OAuth flow, capture the state token, and then trick a victim into using it, leading to a Cross-Site Request Forgery (CSRF) attack and potential account takeover.

get_oauth_router.<locals>.callback

fastapi_users/router/oauth.py

The `callback` function within `get_oauth_router` was vulnerable because it only validated the signature and expiration of the incoming `state` JWT. It did not perform any check to ensure the token was tied to the user's session (e.g., via a CSRF token). This allowed an attacker's state token to be used in a victim's session, completing the CSRF attack.

get_oauth_associate_router.<locals>.authorize

fastapi_users/router/oauth.py

Similar to the main OAuth router, the `authorize` function for account association generated a `state` token without a CSRF token. Although it included the user's ID, it was still susceptible to CSRF, as an attacker could initiate the flow and then have the victim complete it, potentially linking the attacker's OAuth account to the victim's application account.

get_oauth_associate_router.<locals>.callback

fastapi_users/router/oauth.py

The `callback` function for account association was vulnerable as it did not validate a CSRF token. It checked if the user ID in the state matched the logged-in user, but this check happened after the CSRF vulnerability could be exploited. An attacker could leverage the lack of CSRF protection to have their OAuth account associated with the victim's account.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.9

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-68481: FastAPI Users Vulnerable to 1-click Account Takeover in Apps Using FastAPI SSO

CVE-2025-68481:

5.9

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

5.9

5.9

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-68481: FastAPI Users Vulnerable to 1-click Account Takeover in Apps Using FastAPI SSO

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI