Fluid Attacks Database

Description

django-allauth does not reject access tokens for inactive users An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	django-allauth	=0.44.0+ds-1 \|\| =0.44.0+ds-1+deb11u1 \|\| =0.46.0+ds-1 \|\| =0.47.0-1 \|\| =0.51.0-1 \|\| =0.58.2-2 \|\| =64.1.0-1 \|\| =65.0.2-1 \|\| =65.0.2-2 \|\| =65.15.0-1	-
debian 13	django-allauth	=65.0.2-1 \|\| =65.0.2-2 \|\| =65.15.0-1	-
debian 14	django-allauth	=65.0.2-1 \|\| =65.0.2-2 \|\| >=0 <65.15.0-1	65.15.0-1
debian 12	django-allauth	=0.51.0-1 \|\| =0.58.2-2 \|\| =64.1.0-1 \|\| =65.0.2-1 \|\| =65.0.2-2 \|\| =65.15.0-1	-
pypi	django-allauth	>=0 <65.13.0	65.13.0

Aliases

1. CVE-2025-654302. NVD-2025-654303. OSV-DEBIAN-2025-654304. OSV-2025-654305. GCVE-2025-654306. SECURITY-TRACKER-CVE-2025-65430

References

1. https://github.com/pennersr/django-allauth/commit/39f4a4ce9c891795b00914ca5ec32de72d5369c02. https://github.com/pennersr/django-allauth/commit/c54edf947c5a1c8c4ff3cddb75c86000ecb2507d3. https://allauth.org/news/2025/10/django-allauth-65.13.0-released4. https://github.com/pypa/advisory-database/tree/main/vulns/django-allauth/PYSEC-2025-110.yaml