Authlib's Amnesia: The 1-Click Hijack via Global Cache
Vulnerability ID: CVE-2025-68158
CVSS Score: 5.7
Published: 2026-01-08
A critical logic flaw in Authlib's OAuth implementation allows for Login CSRF and Account Takeover when a cache backend is used. By decoupling state verification from the user session, attackers can trick the application into accepting malicious OAuth callbacks.
TL;DR
If you use Authlib with a Redis or Memcached backend for storing OAuth state, your application is vulnerable to a 1-click account takeover. The library failed to verify that the user finishing the OAuth flow is the same one who started it. Attackers can generate a valid OAuth token, send the link to a victim, and link the attacker's social account to the victim's profile.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-352 (CSRF)
- Attack Vector: Network
- CVSS Score: 5.7 (Medium)
- Privileges Required: Low (User)
- User Interaction: Required (1-click)
- Exploit Status: PoC Available
Affected Systems
- Python applications using Authlib
- Flask/Django apps with Authlib OAuth clients
- Systems using Redis/Memcached for OAuth state storage
-
Authlib: <= 1.6.5 (Fixed in:
1.6.6)
Code Analysis
Commit: 2808378
Fix cache-backed state storage session binding
@@ -1,5 +1,7 @@
- if self.cache:
- value = self.cache.get(key)
+ session_data = session.get(key)
+ if not session_data:
+ return None
Exploit Details
- GitHub Advisory: Advisory containing the logical proof of concept for 1-click ATO.
Mitigation Strategies
- Upgrade Authlib library immediately
- Disable cache-backed state storage if upgrade is impossible
- Monitor for successful OAuth callbacks initiated by unknown sessions
Remediation Steps:
- Pip install authlib>=1.6.6
- Verify configuration to ensure
cacheparameter is handled correctly - Audit existing user account links for unrecognized social providers
References
Read the full report for CVE-2025-68158 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)