logo

Database

Improper authorization control for web services In social-auth-app-django

Description

Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the associate_by_email pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses. Version 5.6.0 contains a patch. As a workaround, review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-617832. NVD-2025-617833. OSV-DEBIAN-2025-617834. OSV-2025-617835. GHSA-wv4w-6qv2-qqfg6. GCVE-2025-617837. SECURITY-TRACKER-CVE-2025-61783

References

1. https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-wv4w-6qv2-qqfg2. https://github.com/python-social-auth/social-app-django/issues/2203. https://github.com/python-social-auth/social-app-django/issues/2314. https://github.com/python-social-auth/social-app-django/issues/6345. https://github.com/python-social-auth/social-app-django/pull/8036. https://github.com/python-social-auth/social-app-django/commit/10c80e2ebabeccd4e9c84ad0e16e1db74148ed4c

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.