CVE-2025-65430
MEDIUM5.4EPSS 0.04%django-allauth does not reject access tokens for inactive users
Published: 12/15/2025Modified: 5/20/2026
Description
An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected.
Affected packages (3)
- Debian/django-allauthfrom 0
- PyPI/django-allauthfrom 0, < 65.13.0
- PyPI/django-allauthfrom 0, < 65.13.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
References (7)
- ADVISORYhttps://allauth.org/news/2025/10/django-allauth-65.13.0-released/
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-65430
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-65430
- PATCHhttps://codeberg.org/allauth/django-allauth
- WEBhttps://allauth.org/news/2025/10/django-allauth-65.13.0-released
- WEBhttps://github.com/pennersr/django-allauth/commit/39f4a4ce9c891795b00914ca5ec32de72d5369c0
- WEBhttps://github.com/pennersr/django-allauth/commit/c54edf947c5a1c8c4ff3cddb75c86000ecb2507d