DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-68158: Authlib's Amnesia: The 1-Click Hijack via Global Cache

Authlib's Amnesia: The 1-Click Hijack via Global Cache

Vulnerability ID: CVE-2025-68158
CVSS Score: 5.7
Published: 2026-01-08

A critical logic flaw in Authlib's OAuth implementation allows for Login CSRF and Account Takeover when a cache backend is used. By decoupling state verification from the user session, attackers can trick the application into accepting malicious OAuth callbacks.

TL;DR

If you use Authlib with a Redis or Memcached backend for storing OAuth state, your application is vulnerable to a 1-click account takeover. The library failed to verify that the user finishing the OAuth flow is the same one who started it. Attackers can generate a valid OAuth token, send the link to a victim, and link the attacker's social account to the victim's profile.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-352 (CSRF)
  • Attack Vector: Network
  • CVSS Score: 5.7 (Medium)
  • Privileges Required: Low (User)
  • User Interaction: Required (1-click)
  • Exploit Status: PoC Available

Affected Systems

  • Python applications using Authlib
  • Flask/Django apps with Authlib OAuth clients
  • Systems using Redis/Memcached for OAuth state storage
  • Authlib: <= 1.6.5 (Fixed in: 1.6.6)

Code Analysis

Commit: 2808378

Fix cache-backed state storage session binding

@@ -1,5 +1,7 @@
-        if self.cache:
-            value = self.cache.get(key)
+        session_data = session.get(key)
+        if not session_data:
+            return None
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Advisory: Advisory containing the logical proof of concept for 1-click ATO.

Mitigation Strategies

  • Upgrade Authlib library immediately
  • Disable cache-backed state storage if upgrade is impossible
  • Monitor for successful OAuth callbacks initiated by unknown sessions

Remediation Steps:

  1. Pip install authlib>=1.6.6
  2. Verify configuration to ensure cache parameter is handled correctly
  3. Audit existing user account links for unrecognized social providers

References


Read the full report for CVE-2025-68158 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)