CVE-2025-68158 — Cross-Site Request Forgery in Authlib

CWE-352 — Cross-Site Request Forgery9 documents7 sources

Severity

8.8HIGHNVD

OSV7.5

EPSS

0.0%

top 93.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Authlib Debian Python-authlib

Timeline

PublishedJan 8

Latest updateFeb 25

Description

Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the c…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/python-authlib< python-authlib 1.6.6-1 (forky)

▶NVDauthlib/authlib< 1.6.6

▶PyPIauthlib/authlib1.0.0 — 1.6.6

▶CVEListV5authlib/authlib>= 1.0.0, < 1.6.6

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

python-authlib vulnerabilities↗2026-02-25

▶

OSV

Authlib has 1-click Account Takeover vulnerability↗2026-01-08

▶

GHSA

Authlib has 1-click Account Takeover vulnerability↗2026-01-08

▶

OSV

CVE-2025-68158: Authlib is a Python library which builds OAuth and OpenID Connect servers↗2026-01-08

▶

📋Vendor Advisories

Ubuntu

Authlib vulnerabilities↗2026-02-25

▶

Red Hat

Authlib: Authlib: Cross-Site Request Forgery due to improper session management in state storage↗2026-01-08

▶

Debian

CVE-2025-68158: python-authlib - Authlib is a Python library which builds OAuth and OpenID Connect servers. In ve...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-68158 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶