CVE-2025-68481 in FastAPI
Summary
by MITRE • 12/19/2025
FastAPI Users allows users to quickly add a registration and authentication system to their FastAPI project. Prior to version 15.0.2, the OAuth login state tokens are completely stateless and carry no per-request entropy or any data that could link them to the session that initiated the OAuth flow. `generate_state_token()` is always called with an empty `state_data` dict, so the resulting JWT only contains the fixed audience claim plus an expiration timestamp. On callback, the library merely checks that the JWT verifies under `state_secret` and is unexpired; there is no attempt to match the state value to the browser that initiated the OAuth request, no correlation cookie, and no server-side cache. Any attacker can hit `/authorize`, capture the server-generated state, finish the upstream OAuth flow with their own provider account, and then trick a victim into loading `.../callback?code=<attacker_code>&state=<attacker_state>`. Because the state JWT is valid for any client for \~1 hour, the victim’s browser will complete the flow. This leads to login CSRF. Depending on the app’s logic, the login CSRF can lead to an account takeover of the victim account or to the victim user getting logged in to the attacker's account. Version 15.0.2 contains a patch for the issue.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/05/2026
The vulnerability described in CVE-2025-68481 affects the FastAPI Users library, a popular authentication framework for FastAPI applications that provides quick registration and authentication systems. This security flaw exists in versions prior to 15.0.2 and represents a critical implementation weakness in the OAuth2 authentication flow that could enable attackers to perform login cross-site request forgery attacks. The issue stems from the complete absence of state token entropy and session correlation mechanisms within the library's OAuth implementation, creating a fundamental security gap that undermines the integrity of the authentication process.
The technical flaw lies in how the library generates and validates OAuth state tokens through the `generate_state_token()` function which consistently passes an empty `state_data` dictionary to the token generation process. This results in JSON Web Tokens (JWTs) that contain only a fixed audience claim and expiration timestamp, lacking any per-request entropy or session-specific data that would bind the token to the initiating browser session. The state tokens are generated without any correlation to the originating request context, making them completely stateless and predictable. During the OAuth callback phase, the library performs only basic validation checks ensuring the JWT signature verifies against the `state_secret` and that the token has not expired, without implementing any mechanism to verify that the state token corresponds to the browser session that initiated the OAuth request.
The operational impact of this vulnerability is severe and directly translates to login cross-site request forgery (CSRF) attacks that can result in account takeover or unauthorized account association. An attacker can exploit this flaw by initiating an OAuth flow through the `/authorize` endpoint, capturing the server-generated state token, completing the upstream OAuth flow with their own provider account, and then tricking a victim into loading a malicious callback URL containing the attacker's authorization code and state token. Since the state JWT remains valid for approximately one hour, the victim's browser will successfully complete the authentication flow, potentially logging them into the attacker's account or enabling the attacker to take control of the victim's account. This vulnerability specifically aligns with CWE-352, which describes Cross-Site Request Forgery, and maps to ATT&CK technique T1566.001 for credential access through phishing.
The mitigation for this vulnerability requires updating to FastAPI Users version 15.0.2 or later, which implements proper state token validation mechanisms. The patched version should incorporate session correlation through the use of correlation cookies, server-side state token caching, or other mechanisms that establish a binding between the OAuth state token and the initiating browser session. Additionally, applications should implement proper input validation and session management practices, including verifying that OAuth state tokens are only valid for the specific browser session that initiated the authentication flow. Organizations should also consider implementing additional security measures such as CSRF tokens for other authentication flows, monitoring for unusual authentication patterns, and ensuring that all third-party authentication libraries are kept up to date with the latest security patches to prevent similar vulnerabilities from being introduced into their applications.