CVE-2025-14546 MEDIUM

CVE-2025-14546

Vendor N/A
Product fastapi-sso
Weakness CWE-285
Published December 19, 2025
Last update December 19, 2025
View on NVD All CVEs

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N/E:P

What the vulnerability does

01Description

Versions of the package fastapi-sso before 0.19.0 are vulnerable to Cross-site Request Forgery (CSRF) due to the improper validation of the OAuth state parameter during the authentication callback. While the get_login_url method allows for state generation, it does not persist the state or bind it to the user's session. Consequently, the verify_and_process method accepts the state received in the query parameters without verifying it against a trusted local value. This allows a remote attacker to trick a victim into visiting a malicious callback URL, which can result in the attacker's account being linked to the victim's internal account.

Key dates

02Disclosure timeline

December 19, 2025 CVE published
December 19, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-15124 JeecgBoot list getParameterMap improper authorization CVE-2021-32619 Static imports inside dynamically imported modules do not adhere to permission checks CVE-2023-48241 XWiki exposed whole content of all documents of all wikis to anybody with view right on Solr suggest service CVE-2020-5289 Read permissions not enforced for client provided filter expressions in Elide http client CVE-2025-6735 juzaweb CMS Import Page imports improper authorization