FastAPI Users OAuth Login State Vulnerability Allows Cross-Site Request Forgery

A vulnerability in FastAPI Users prior to version 15.0.2 allows for Cross-Site Request Forgery (CSRF) attacks during the OAuth login process. The issue arises because the OAuth login state tokens are completely stateless and lack per-request entropy or any data linking them to the session that initiated the OAuth flow. This vulnerability enables an attacker to capture a valid state token, complete the OAuth flow with their own account, and trick a victim into loading a callback with the attacker's state and code, potentially leading to account takeover.

Impact

Exploitation of this vulnerability can result in unauthorized account access, allowing an attacker to take over a victim's account or vice versa, depending on the application's logic.

Reproduction

To reproduce this vulnerability, initiate an OAuth flow and capture the state token generated by the server. Then, complete the OAuth flow using an account of your choice. Finally, trick a logged-in user into performing a callback request that includes the captured state token and authorization code. This can be done through phishing or other social engineering tactics.

Remediation

Users can update to FastAPI Users version 15.0.2 or later, where this vulnerability has been patched.