FastAPI-SSO, Cross-site Request Forgery (CSRF), Moderate Severity

Listen to this Post

The vulnerability in fastapi-sso arises from improper handling of the OAuth state parameter during the authentication callback. The `get_login_url` method generates a state value but fails to persist it in the user’s session or bind it securely. Subsequently, the `verify_and_process` method accepts the state parameter directly from the incoming query string without validating it against a server-stored value. This omission breaks the CSRF protection mechanism intended by the state parameter. An attacker can craft a malicious callback URL with a predetermined state value and trick a victim into initiating an OAuth flow. When the victim clicks the link, their browser sends the request to the fastapi-sso endpoint. Since the state is not verified, the application processes the authentication callback, linking the attacker’s external OAuth account to the victim’s internal application account. This allows account takeover or unauthorized linking without the victim’s consent. The issue is rooted in the lack of session binding for the state parameter, making the OAuth flow susceptible to CSRF attacks. All versions before 0.19.0 are affected.
Platform: fastapi-sso
Version: before 0.19.0
Vulnerability: CSRF OAuth state
Severity: Moderate
Date: Dec 19 2025

Prediction: Patched 0.19.0

What Undercode Say:

Analytics

pip show fastapi-sso
from fastapi_sso import SSO
Check if state is persisted
sso = SSO(...)
login_url = sso.get_login_url() State generated but not stored
Exploit simulation: craft URL with fixed state
curl -I "http://target/callback?state=attacker_state"

How Exploit:

Attacker crafts malicious OAuth callback URL with fixed state parameter. Victim clicks while authenticated. Application accepts state, linking attacker’s OAuth account to victim’s session.

Protection from this CVE

Update to version 0.19.0. Implement server-side state storage and validation. Use anti-CSRF tokens.

Impact:

Account linkage hijacking. Unauthorized account access.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top