CVE-2025-43856

Name of the Vulnerable Software and Affected Versions: immich versions prior to 1.132.0

Description: immich is a self-hosted photo and video management solution. A flaw exists in the OAuth2 implementation where the state parameter is not validated. This parameter, functioning similarly to a Cross-Site Request Forgery (CSRF) token, is intended to verify that the login flow was initiated by the user in the current browser session. The absence of this verification, combined with the use of the /user-settings page as a redirect URI, allows an attacker to link accounts automatically. An attacker can exploit this by embedding a hidden iframe or sending a forged OAuth login URL, potentially logging a victim into the attacker’s OAuth account and subsequently linking the accounts within immich. This enables the attacker to log into the victim’s immich account using their own OAuth credentials.

Recommendations: Upgrade to immich version 1.132.0 or later to address this issue.