VYPR
Get started
← All advisories
Medium severity6.3OSV Advisory· Published Dec 19, 2025· Updated Apr 29, 2026

CVE-2025-14546

CVE-2025-14546

Description

Versions of the package fastapi-sso before 0.19.0 are vulnerable to Cross-site Request Forgery (CSRF) due to the improper validation of the OAuth state parameter during the authentication callback. While the get_login_url method allows for state generation, it does not persist the state or bind it to the user's session. Consequently, the verify_and_process method accepts the state received in the query parameters without verifying it against a trusted local value. This allows a remote attacker to trick a victim into visiting a malicious callback URL, which can result in the attacker's account being linked to the victim's internal account.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
fastapi-ssoPyPI
< 0.19.00.19.0

Affected products

1

Patches

2
6117d1a5ad49

fix: enforce state validation (#267)

https://github.com/tomasvotava/fastapi-ssodavidbors-snykDec 10, 2025via ghsa
commit
1 file changed · +10 0
  • fastapi_sso/sso/base.py+10 0 modified
    @@ -341,6 +341,8 @@ async def get_login_redirect(
         response = RedirectResponse(login_uri, 303)
         if self.uses_pkce:
             response.set_cookie("pkce_code_verifier", str(self._pkce_code_verifier))
+        if state is not None:
+            response.set_cookie("sso_state", state)
         return response
 
     @overload
@@ -402,6 +404,14 @@ async def verify_and_process(
             )
             raise SSOLoginError(400, "'code' parameter was not found in callback request")
         self._state = request.query_params.get("state")
+        if self._state is None and self.requires_state:
+            raise SSOLoginError(400, "'state' parameter was not found in callback request")
+        if self._state is not None:
+            sso_state = request.cookies.get("sso_state")
+            if sso_state is None and self.requires_state:
+                raise SSOLoginError(401, "State cookie not found")
+            if sso_state is not None and sso_state != self._state:
+                raise SSOLoginError(401, "Invalid state")
         pkce_code_verifier: Optional[str] = None
         if self.uses_pkce:
             pkce_code_verifier = request.cookies.get("pkce_code_verifier")
c905eafe2d6d
https://github.com/tomasvotava/fastapi-ssovia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.