OAuth Login Vulnerability in FastAPI Users by FastAPI
CVE-2025-68481

5.9MEDIUM

Key Information:

Vendor

Fastapi-users

Status
Fastapi-users
Vendor
CVE Published:
19 December 2025

What is CVE-2025-68481?

FastAPI Users prior to version 15.0.2 suffers from a significant OAuth login state token vulnerability. The tokens generated are entirely stateless, lacking sufficient entropy or session-related data. This allows unauthorized parties to exploit the OAuth flow by capturing the state tied to a legitimate user. With the capacity to craft a fake callback request, an attacker can potentially trick victims into unwittingly logging into the attacker's account or having their own accounts hijacked. Version 15.0.2 addresses and rectifies this critical flaw.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

fastapi-users < 15.0.2

References

https://github.com/fastapi-users/fastapi-users/security/a...
x_refsource_CONFIRM
https://github.com/fastapi-users/fastapi-users/commit/7cf...
x_refsource_MISC
https://github.com/fastapi-users/fastapi-users/blob/bcee8...
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.