CVE-2025-65430
MEDIUM5.4EPSS 0.04%django-allauth does not reject access tokens for inactive users
發布日:2025/12/15修改日:2026/5/20
描述
An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected.
受影響套件(3)
- Debian/django-allauthfrom 0
- PyPI/django-allauthfrom 0, < 65.13.0
- PyPI/django-allauthfrom 0, < 65.13.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
參考連結(7)
- ADVISORYhttps://allauth.org/news/2025/10/django-allauth-65.13.0-released/
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-65430
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-65430
- PATCHhttps://codeberg.org/allauth/django-allauth
- WEBhttps://allauth.org/news/2025/10/django-allauth-65.13.0-released
- WEBhttps://github.com/pennersr/django-allauth/commit/39f4a4ce9c891795b00914ca5ec32de72d5369c0
- WEBhttps://github.com/pennersr/django-allauth/commit/c54edf947c5a1c8c4ff3cddb75c86000ecb2507d