PT-2025-51215 · Unknown+1 · Allauth-Django+1
Published
2025-01-01
·
Updated
2026-05-04
·
CVE-2025-65430
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
allauth-django versions prior to 65.13.0
Description
An issue existed where access and refresh tokens were not rejected after a user was marked as inactive. Specifically, if a user’s account was deactivated (
is active=False) after tokens had already been issued, those tokens remained valid. This allowed continued access even after the account should have been locked. The fix ensures that tokens are rejected when a user is deactivated.Recommendations
Update to allauth-django version 65.13.0 or later.
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Debian
Allauth-Django