FastAPI SSO Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the FastAPI SSO package, affecting versions prior to 0.19.0. The issue arises from inadequate validation of the OAuth state parameter during the authentication callback. Although the 'get_login_url' method can generate a state, it fails to store it or associate it with the user's session. As a result, the 'verify_and_process' method accepts the state from query parameters without verifying it against a trusted local value. This flaw enables remote attackers to manipulate victims into visiting malicious callback URLs, potentially linking the attackers' accounts to the victims' internal accounts.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery, where an attacker's account can be linked to a victim's account within the application, leading to unauthorized access or actions on behalf of the victim.

Reproduction

To reproduce this vulnerability, create a FastAPI application that uses the FastAPI SSO library and implements a callback that links SSO identities to existing user accounts. Then, initiate an OAuth flow and pause before the callback. An attacker can then trick a logged-in user into sending a request to the callback with a manipulated state parameter, bypassing the library's state validation and completing the OAuth process, which results in account takeover.

Remediation

Users are advised to upgrade FastAPI SSO to version 0.19.0 or later.