GHSA-wv4w-6qv2-qqfg

Source

https://github.com/advisories/GHSA-wv4w-6qv2-qqfg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wv4w-6qv2-qqfg/GHSA-wv4w-6qv2-qqfg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wv4w-6qv2-qqfg

Aliases

CVE-2025-61783

Published

2025-10-09T17:08:05Z

Modified

2025-10-13T16:03:18.035803Z

Severity

6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Python Social Auth - Django has unsafe account association

Details

Impact

Upon authentication, the user could be associated by e-mail even if the associate_by_email pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses.

Patches

https://github.com/python-social-auth/social-app-django/pull/803

Workarounds

Review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-09T17:08:05Z",
    "nvd_published_at": "2025-10-09T21:15:40Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-290",
        "CWE-303"
    ]
}

References

Affected packages

PyPI / social-auth-app-django

Package

Name: social-auth-app-django; View open source insights on deps.dev
Purl: pkg:pypi/social-auth-app-django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.6.0

Affected versions

0.*

0.0.1

0.1.0

1.*

1.0.0

1.0.1

1.1.0

1.2.0

2.*

2.0.0

2.1.0

3.*

3.0.0

3.1.0

3.3.0

3.4.0

4.*

4.0.0

5.*

5.0.0

5.1.0

5.2.0

5.3.0

5.4.0

5.4.1

5.4.2

5.4.3

5.5.0

5.5.1