CVE-2025-68158
Published: 08 January 2026
Summary
CVE-2025-68158 is a medium-severity CSRF (CWE-352) vulnerability in Authlib Authlib. Its CVSS base score is 5.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 7.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.
Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.
Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.
Detects anomalous request patterns consistent with cross-site request forgery.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF flaw in OAuth state/token storage enables attackers to obtain and misuse application access tokens via session-independent cache keys.
NVD Description
Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state…
more
(easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the caller’s session altogether. This issue has been patched in version 1.6.6.
Deeper analysisAI
CVE-2025-68158 affects Authlib, a Python library for building OAuth and OpenID Connect servers, specifically in versions 1.0.0 through 1.6.5. The vulnerability stems from cache-backed state and request-token storage not being tied to the initiating user session. When a cache is supplied to the OAuth client registry, the FrameworkIntegration.set_state_data function writes the entire state blob under a key like _state_{app}_{state}, while get_state_data ignores the caller's session entirely. This flaw, classified as CWE-352 (Cross-Site Request Forgery), carries a CVSS v3.1 base score of 5.7 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N) and was published on 2026-01-08.
An attacker can exploit this vulnerability by obtaining a valid state value, which is easily acquired through an attacker-initiated authentication flow. With low privileges (PR:L) and requiring user interaction (UI:R), the attacker can perform a CSRF attack over the network (AV:N). Successful exploitation allows high confidentiality impact (C:H), such as unauthorized access to sensitive state data or tokens not bound to the victim's session.
The issue has been addressed in Authlib version 1.6.6. Security advisories and patch commits, including those at GHSA-fg6f-75jq-6523 and specific GitHub changes like 2808378611dd6fb2532b189a9087877d8f0c0489 and 7974f45e4d7492ab5f527577677f2770ce423228, detail the fix to properly associate state storage with user sessions. Practitioners should upgrade to 1.6.6 or later and review cache configurations in OAuth integrations.
Details
- CWE(s)