Unknown · Fastapi-Sso · CVE-2025-14546
**Name of the Vulnerable Software and Affected Versions**
fastapi-sso versions prior to 0.19.0
**Description**
The software is susceptible to Cross-site Request Forgery (CSRF) because of inadequate validation of the OAuth state parameter during the authentication callback. The `get login url` method generates a state value but does not store it or associate it with the user’s session. Subsequently, the `verify and process` method accepts the state parameter from query parameters without comparing it to a trusted, locally stored value. This allows an attacker to deceive a user into visiting a malicious callback URL, potentially linking the attacker’s account to the user’s internal account.
**Recommendations**
Update to version 0.19.0 or later.