Python Social Auth – Django, Unsafe Account Association, CVE-2025-22098 (Moderate)

By /

Listen to this Post

How the mentioned CVE works:

The vulnerability CVE-2025-22098 exists in the python-social-auth library for Django. During the third-party authentication pipeline, the system could automatically associate a new social login with an existing user account based solely on a matching email address. This association occurred even if the `associate_by_email` pipeline function was explicitly removed from the authentication workflow. An attacker can exploit this by registering with a third-party provider using an email address identical to an existing victim’s account. If the provider does not rigorously validate email ownership or enforce uniqueness, the attacker’s social account becomes wrongly linked to the victim’s existing local account. Upon login, the attacker gains unauthorized access to the victim’s account without any credentials, leading to a complete account takeover.
Platform: Django
Version: social-app-django
Vulnerability: Account Takeover
Severity: Moderate

date: 2024-10-09

Prediction: Patch by 2024-10-23

What Undercode Say:

`grep -r “associate_by_email” .`

`python manage.py shell`

`from social_django.models import UserSocialAuth`

`UserSocialAuth.objects.filter(provider=’third-party’).delete()`

` Check your pipeline in settings.py`

`SOCIAL_AUTH_PIPELINE = (… ‘social.pipeline.social_auth.social_user’, … ‘social.pipeline.user.get_username’, … )`

How Exploit:

Attacker registers with a third-party authentication provider using the victim’s email address. The attacker then initiates a login to the target Django application using that maliciously associated social account. The application’s backend, due to the flaw, automatically links the attacker’s social login to the victim’s pre-existing account based on the matching email. The attacker is subsequently granted full access to the victim’s account and data.

Protection from this CVE:

Upgrade python-social-auth. Remove associate_by_email. Implement email verification. Review third-party provider policies.

Impact:

Account takeover. Unauthorized data access. Privilege escalation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top