Authlib Cross-Site Request Forgery Vulnerability in Cache Feature

A cross-site request forgery (CSRF) vulnerability has been identified in Authlib, a Python library for building OAuth and OpenID Connect servers. This issue affects versions prior to 1.6.11 and arises from the lack of CSRF protection in the cache feature of 'authlib.integrations.starlette_client.OAuth'. When the cache parameter is used, there is no mechanism to tie the client to the authentication state, leaving users vulnerable to CSRF attacks. This vulnerability allows attackers to manipulate authentication flows and, in some cases, such as pushing invoices into a victim's account, could have serious consequences.

Impact

Exploitation of this vulnerability allows for cross-site request forgery attacks, where an attacker could potentially tie their account to a victim's, leading to unauthorized actions on behalf of the victim. In one reported scenario, this allowed attackers to push invoices into a victim's account, ready to be paid.

Reproduction

To reproduce this vulnerability, set up a Starlette integration with caching enabled. An attacker can initiate the authentication flow and then send the redirect URL to a victim. When the victim completes the authorization, the attacker's account could be tied to theirs, exploiting the lack of CSRF protection.

Remediation

Users can update to Authlib version 1.6.11 or later, where this vulnerability has been fixed.