Cross-Site Request Forgery Vulnerability in FastAPI SSO by Tomas Votava
CVE-2025-14546

6.9MEDIUM

Key Information:

Vendor: Tomas Votava
Status: Fastapi-sso
Vendor: CVE Published:; 19 December 2025

🔔 Create Tomas Votava Vulnerability Alert

What is CVE-2025-14546?

Versions of FastAPI SSO prior to 0.19.0 exhibit a vulnerability related to Cross-site Request Forgery (CSRF). The issue stems from inadequate validation of the OAuth state parameter during the authentication callback process. The get_login_url method generates a state value; however, it fails to bind this value to the user's session, and the verify_and_process method does not validate the state parameter against a trusted value. This oversight allows an attacker to potentially redirect a victim to a malicious callback URL, thereby linking the attacker's account with the victim's internal account.

Affected Version(s)

fastapi-sso 0 < 0.19.0

References

https://security.snyk.io/vuln/SNYK-PYTHON-FASTAPISSO-1438...

https://github.com/tomasvotava/fastapi-sso/commit/6117d1a...

https://github.com/tomasvotava/fastapi-sso/issues/266

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 19, 2025
Vulnerability Reserved
Dec 11, 2025

Credit

David Borș (Snyk Security Research)

JSON