GHSA-8m3c-c723-h4p4

Source

https://github.com/advisories/GHSA-8m3c-c723-h4p4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-8m3c-c723-h4p4/GHSA-8m3c-c723-h4p4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8m3c-c723-h4p4

Aliases

CVE-2025-65431

Published

2025-12-15T15:30:31Z

Modified

2025-12-16T20:41:16.326989Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

django-allauth's Okta and NetIQ implementations used a mutable identifier for authorization decisions

Details

An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-287"
    ],
    "nvd_published_at": "2025-12-15T14:15:57Z",
    "github_reviewed_at": "2025-12-16T19:35:08Z",
    "severity": "MODERATE"
}

References

Affected packages

PyPI / django-allauth

Package

Name: django-allauth; View open source insights on deps.dev
Purl: pkg:pypi/django-allauth

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

65.13.0

Affected versions

0.*

0.1.0

0.2.0

0.3.0

0.4.0

0.5.0

0.6.0

0.7.0

0.8.0

0.8.1

0.8.2

0.8.3

0.9.0

0.10.0

0.10.1

0.11.0

0.11.1

0.12.0

0.13.0

0.14.0

0.14.1

0.14.2

0.15.0

0.16.0

0.16.1

0.17.0

0.18.0

0.19.0

0.19.1

0.20.0

0.21.0

0.22.0

0.23.0

0.24.0

0.24.1

0.25.0

0.25.1

0.25.2

0.26.0

0.26.1

0.27.0

0.28.0

0.29.0

0.30.0

0.31.0

0.32.0

0.33.0

0.34.0

0.35.0

0.36.0

0.37.0

0.37.1

0.38.0

0.39.0

0.39.1

0.40.0

0.41.0

0.42.0

0.43.0

0.44.0

0.45.0

0.46.0

0.47.0

0.48.0

0.49.0

0.50.0

0.51.0

0.52.0

0.53.0

0.53.1

0.54.0

0.55.0

0.55.1

0.55.2

0.56.0

0.56.1

0.57.0

0.57.1

0.57.2

0.58.0

0.58.1

0.58.2

0.59.0

0.60.0

0.60.1

0.61.0

0.61.1

0.62.0

0.62.1

0.63.0

0.63.1

0.63.2

0.63.3

0.63.4

0.63.5

0.63.6

64.*

64.0.0

64.1.0

64.2.0

64.2.1

65.*

65.0.0

65.0.1

65.0.2

65.1.0

65.2.0

65.3.0

65.3.1

65.4.0

65.4.1

65.5.0

65.6.0

65.7.0

65.8.0

65.8.1

65.9.0

65.10.0

65.11.0

65.11.1

65.11.2

65.12.0

65.12.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-8m3c-c723-h4p4/GHSA-8m3c-c723-h4p4.json"