{"id":"CVE-2025-14546","details":"Versions of the package fastapi-sso before 0.19.0 are vulnerable to Cross-site Request Forgery (CSRF) due to the improper validation of the OAuth state parameter during the authentication callback. While the get_login_url method allows for state generation, it does not persist the state or bind it to the user's session. Consequently, the verify_and_process method accepts the state received in the query parameters without verifying it against a trusted local value. This allows a remote attacker to trick a victim into visiting a malicious callback URL, which can result in the attacker's account being linked to the victim's internal account.","aliases":["GHSA-hp6r-r9vc-q8wx"],"modified":"2026-04-30T15:29:28.241232403Z","published":"2025-12-19T05:16:09.497Z","related":["CGA-jfvw-vmqh-56hh"],"references":[{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-PYTHON-FASTAPISSO-14386403"},{"type":"REPORT","url":"https://github.com/tomasvotava/fastapi-sso/issues/266"},{"type":"FIX","url":"https://github.com/tomasvotava/fastapi-sso/commit/6117d1a5ad498ba57d671e8a059ebe20db5abe02"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tomasvotava/fastapi-sso","events":[{"introduced":"0"},{"fixed":"c905eafe2d6d7aab5d2b929e53ba98f238fdb21d"},{"fixed":"6117d1a5ad498ba57d671e8a059ebe20db5abe02"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.19.0"}]}}],"versions":["0.10.0","0.11.0","0.12.0","0.12.1","0.12.2","0.13.0","0.13.1","0.14.0","0.14.1","0.14.2","0.15.0","0.16.0","0.17.0","0.18.0","0.2.10","0.2.11","0.2.12","0.2.13","0.2.21","0.2.3","0.2.9","0.3.0","0.4.0","0.5.0","0.5.1","0.6.1","0.6.2","0.6.3","0.6.4","0.7.0","0.7.1","0.7.2","0.7.3","0.7.4","0.8.0","0.9.0","0.9.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-14546.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"}]}