CVE-2025-61783 MEDIUM

CVE-2025-61783: Python Social Auth - Django has unsafe account association

Vendor Python-Social-Auth

Product social-app-django

Weakness CWE-303

Published October 9, 2025

Last update October 15, 2025

View on NVD All CVEs

CVSS base score

6.3/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

Description

Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the `associate_by_email` pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses. Version 5.6.0 contains a patch. As a workaround, review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.

Key dates

Disclosure timeline

October 9, 2025 CVE published

October 15, 2025 Record updated