CVE-2025-65431
MEDIUM5.4EPSS 0.04%django-allauth's Okta and NetIQ implementations used a mutable identifier for authorization decisions
發布日:2025/12/15修改日:2026/5/20
描述
An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead.
受影響套件(3)
- Debian/django-allauthfrom 0
- PyPI/django-allauthfrom 0, < 65.13.0
- PyPI/django-allauthfrom 0, < 65.13.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
參考連結(6)
- ADVISORYhttps://allauth.org/news/2025/10/django-allauth-65.13.0-released/
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-65431
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-65431
- PATCHhttps://codeberg.org/allauth/django-allauth
- WEBhttps://allauth.org/news/2025/10/django-allauth-65.13.0-released
- WEBhttps://github.com/pennersr/django-allauth/commit/8feef46e0e07b25fc5594c8f268afa247ebc3412