Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. In version 1.6.5 and prior, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the caller’s session altogether. This issue has been patched in version 1.6.6.

INFO

Published Date :

2026-01-08T17:58:17.724Z

Last Modified :

2026-01-08T18:20:43.016Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-68158 vulnerability.

Vendors Products
Authlib
  • Authlib
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-68158.

URL Resource
https://github.com/authlib/authlib/commit/2808378611dd6fb2532b189a9087877d8f0c0489 cve-icon cve-icon cve-icon
https://github.com/authlib/authlib/commit/7974f45e4d7492ab5f527577677f2770ce423228 cve-icon cve-icon cve-icon
https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523 cve-icon cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact