CVE-2025-65431
MEDIUM5.4EPSS 0.04%django-allauth's Okta and NetIQ implementations used a mutable identifier for authorization decisions
Published: 12/15/2025Modified: 5/20/2026
Description
An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead.
Affected packages (3)
- Debian/django-allauthfrom 0
- PyPI/django-allauthfrom 0, < 65.13.0
- PyPI/django-allauthfrom 0, < 65.13.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
References (6)
- ADVISORYhttps://allauth.org/news/2025/10/django-allauth-65.13.0-released/
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-65431
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-65431
- PATCHhttps://codeberg.org/allauth/django-allauth
- WEBhttps://allauth.org/news/2025/10/django-allauth-65.13.0-released
- WEBhttps://github.com/pennersr/django-allauth/commit/8feef46e0e07b25fc5594c8f268afa247ebc3412