CVE-2025-68481

Name of the Vulnerable Software and Affected Versions FastAPI Users versions prior to 15.0.2

Description FastAPI Users is a system designed to add registration and authentication to FastAPI projects. A login Cross-Site Request Forgery (CSRF) exists because OAuth login state tokens are stateless and lack per-request entropy or data linking them to the initiating session. The generate state token() function always uses an empty state data dictionary, resulting in a JWT containing only a fixed audience claim and an expiration timestamp. Upon callback, the library only verifies the JWT’s signature and expiration, without correlating it to the initiating browser or using a server-side cache. An attacker can capture the server-generated state, complete the OAuth flow with their own account, and then trick a victim into loading a crafted callback URL. This allows the attacker to potentially take over the victim’s account or log the victim into the attacker’s account. The API endpoint /authorize and /callback?code=<attacker code>&state=<attacker state> are involved in this issue. The vulnerable function is generate state token().

Recommendations Update to FastAPI Users version 15.0.2 or later.