CVE-2025-14546

Name of the Vulnerable Software and Affected Versions fastapi-sso versions prior to 0.19.0

Description The software is susceptible to Cross-site Request Forgery (CSRF) because of inadequate validation of the OAuth state parameter during the authentication callback. The get login url method generates a state value but does not store it or associate it with the user’s session. Subsequently, the verify and process method accepts the state parameter from query parameters without comparing it to a trusted, locally stored value. This allows an attacker to deceive a user into visiting a malicious callback URL, potentially linking the attacker’s account to the user’s internal account.

Recommendations Update to version 0.19.0 or later.