Davidbors-Snyk

**Name of the Vulnerable Software and Affected Versions** FastAPI Users versions prior to 15.0.2 **Description** FastAPI Users is a system designed to add registration and authentication to FastAPI projects. A login Cross-Site Request Forgery (CSRF) exists because OAuth login state tokens are stateless and lack per-request entropy or data linking them to the initiating session. The `generate state token()` function always uses an empty `state data` dictionary, resulting in a JWT containing only a fixed audience claim and an expiration timestamp. Upon callback, the library only verifies the JWT’s signature and expiration, without correlating it to the initiating browser or using a server-side cache. An attacker can capture the server-generated state, complete the OAuth flow with their own account, and then trick a victim into loading a crafted callback URL. This allows the attacker to potentially take over the victim’s account or log the victim into the attacker’s account. The **API endpoint** `/authorize` and `/callback?code=<attacker code>&state=<attacker state>` are involved in this issue. The vulnerable function is `generate state token()`. **Recommendations** Update to FastAPI Users version 15.0.2 or later.