CVE-2025-43856

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-43856
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43856.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-43856
Aliases
  • GHSA-3832-6r8h-9cfm
Published
2025-07-11T17:10:52.423Z
Modified
2026-04-10T05:31:29.631096Z
Severity
  • 7.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
immich allows account hijacking through oauth2
Details

immich is a high performance self-hosted photo and video management solution. Prior to 1.132.0, immich is vulnerable to account hijacking through oauth2, because the state parameter is not being checked. The oauth2 state parameter is similar to a csrf token, so when the user starts the login flow this unpredictable token is generated and somehow saved in the browser session and passed to the identity provider, which will return the state parameter when redirecting the user back to immich. Before the user is logged in that parameter needs to be verified to make sure the login was actively initiated by the user in this browser session. On it's own, this wouldn't be too bad, but when immich uses the /user-settings page as a redirect_uri, it will automatically link the accounts if the user was already logged in. This means that if someone has an immich instance with a public oauth provider (like google), an attacker can - for example - embed a hidden iframe in a webpage or even just send the victim a forged oauth login url with a code that logs the victim into the attackers oauth account and redirects back to immich and links the accounts. After this, the attacker can log into the victims account using their own oauth credentials. This vulnerability is fixed in 1.132.0.

Database specific 
{
    "cwe_ids": [
        "CWE-303"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/43xxx/CVE-2025-43856.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/immich-app/immich

Affected ranges

Type
GIT
Repo
https://github.com/immich-app/immich
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
f659ef4b7aeb20f2fe433abb7fc6f7b4d95bb0ea
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.132.0"
        }
    ]
}

Affected versions

Other
first-android-release
v0.*
v0.2-dev
v0.3-dev
v0.4-dev
v0.5-dev
v0.6-dev
v1.*
v1.10.0_15-dev
v1.100.0
v1.101.0
v1.102.0
v1.102.1
v1.102.2
v1.102.3
v1.103.0
v1.103.1
v1.104.0
v1.105.0
v1.105.1
v1.106.0
v1.106.1
v1.106.2
v1.106.3
v1.106.4
v1.107.0
v1.107.1
v1.107.2
v1.108.0
v1.109.0
v1.109.1
v1.109.2
v1.11.0_17-dev
v1.110.0
v1.111.0
v1.112.0
v1.112.1
v1.113.0
v1.113.1
v1.114.0
v1.115.0
v1.116.0
v1.116.1
v1.116.2
v1.117.0
v1.118.0
v1.118.1
v1.118.2
v1.119.0
v1.119.1
v1.12.0_18-dev
v1.120.0
v1.120.1
v1.120.2
v1.121.0
v1.122.0
v1.122.1
v1.122.2
v1.122.3
v1.123.0
v1.124.0
v1.124.1
v1.124.2
v1.125.0
v1.125.1
v1.125.2
v1.125.3
v1.125.4
v1.125.5
v1.125.6
v1.125.7
v1.126.0
v1.126.1
v1.127.0
v1.128.0
v1.129.0
v1.13.0_20-dev
v1.130.0
v1.130.1
v1.130.2
v1.130.3
v1.131.0
v1.131.1
v1.131.2
v1.131.3
v1.14.0_21-dev
v1.15.0_21-dev
v1.15.1_21-dev
v1.16.0_23-dev
v1.17.0_25-dev
v1.18.0_27-dev
v1.19.0_29-dev
v1.19.1_29-dev
v1.20.0_30-dev
v1.20.1_30-dev
v1.20.2_30-dev
v1.20.3_30-dev
v1.21.0_31-dev
v1.21.1_31-dev
v1.22.0_32-dev
v1.23.0_33-dev
v1.24.0_34-dev
v1.25.0_35-dev
v1.26.0_36-dev
v1.27.0_37-dev
v1.28.0_38-dev
v1.28.1_39-dev
v1.28.2_40-dev
v1.28.3_41-dev
v1.28.4_41-dev
v1.28.4_42-dev
v1.29.0_42-dev
v1.29.1_43-dev
v1.29.2_43-dev
v1.29.3_43-dev
v1.29.4_44-dev
v1.29.5_44-dev
v1.29.6_44-dev
v1.29.6_45-dev
v1.3.0-dev
v1.3.1-dev
v1.30.0_46-dev
v1.30.2_48-dev
v1.31.0_49-dev
v1.31.1_49-dev
v1.32.0_50-dev
v1.32.1_51-dev
v1.33.0_52-dev
v1.33.1_52-dev
v1.34.0_53-dev
v1.35.0_54-dev
v1.36.0_55-dev
v1.36.1_55-dev
v1.36.2_56-dev
v1.37.0_58-dev
v1.38.0_60-dev
v1.38.1_60-dev
v1.38.2_60-dev
v1.39.0_61-dev
v1.4.0+6-dev
v1.4.0+7-dev
v1.4.0-dev
v1.40.0_63-dev
v1.40.1_63-dev
v1.41.0_64-dev
v1.41.1_64-dev
v1.42.0_65-dev
v1.43.0
v1.43.1
v1.44.0
v1.45.0
v1.46.0
v1.46.1
v1.47.0
v1.47.1
v1.47.2
v1.47.3
v1.48.0
v1.48.1
v1.49.0
v1.5.0+8-dev
v1.5.1+9-dev
v1.50.0
v1.50.1
v1.51.0
v1.51.1
v1.51.2
v1.52.1
v1.53.0
v1.54.0
v1.54.1
v1.55.0
v1.55.1
v1.56.0
v1.56.1
v1.56.2
v1.57.0
v1.57.1
v1.58.0
v1.59.0
v1.59.1
v1.6.0_10-dev
v1.60.0
v1.61.0
v1.62.0
v1.62.1
v1.63.0
v1.63.1
v1.63.2
v1.64.0
v1.65.0
v1.66.0
v1.66.1
v1.67.0
v1.67.1
v1.67.2
v1.68.0
v1.69.0
v1.7.0_11-dev
v1.70.0
v1.71.0
v1.72.0
v1.72.1
v1.72.2
v1.73.0
v1.74.0
v1.75.0
v1.75.1
v1.75.2
v1.76.0
v1.76.1
v1.77.0
v1.78.0
v1.78.1
v1.79.0
v1.79.1
v1.8.0_12-dev
v1.80.0
v1.81.0
v1.81.1
v1.82.0
v1.82.1
v1.83.0
v1.84.0
v1.85.0
v1.86.0
v1.87.0
v1.88.0
v1.88.2
v1.89.0
v1.9.0_13-dev
v1.9.1_14-dev
v1.90.0
v1.90.1
v1.90.2
v1.91.0
v1.91.1
v1.91.2
v1.91.3
v1.91.4
v1.92.0
v1.92.1
v1.93.0
v1.93.1
v1.93.2
v1.93.3
v1.94.1
v1.95.0
v1.95.1
v1.96.0
v1.97.0
v1.98.0
v1.98.1
v1.98.2
v1.99.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43856.json"