AIKIDO-2026-10551
social-auth-core is vulnerable to Improper Input Validation
70
High Risk
This Affects:
social-auth-coreTL;DR
The sanitize_redirect helper decides whether a return URL is allowed for a set of trusted hosts. It previously let through targets containing backslashes or Unicode control characters and did not reject non-HTTP(S) schemes in all cases, which can combine with browser normalization to produce unsafe redirects. Several OAuth backends now enable the standard STATE_PARAMETER so callbacks can be tied to the authorization step, and one provider passes the checked state when building the follow-up request. The SAML flow no longer reuses a stored session for the return leg until the SAML response has been cryptographically checked, and OpenID Connect PKCE handling defaults to the RFC’s S256 and verifier length on the shared PKCE base class path.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
social-auth-core is vulnerable to Improper Input Validation in versions 0.0.1 - 4.8.6.
How to fix this
Upgrade the social-auth-core library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant