social-auth-core is vulnerable to Cross-Site Request Forgery (CSRF)
59
Medium Risk
The partial pipeline resume logic in social_core/utils.py selects the pipeline token before checking whether an external resume needs confirmation. When the request token matches the current session token, the code treats the request as session-owned and resumes immediately, skipping the confirmation step intended for externally resumable partials. As a result, an externally resumable partial link (such as an email validation link) can be consumed by a plain GET in the originating session without the intended confirmation, enabling login CSRF-style consumption of the partial. The fix adds _partial_pipeline_requires_confirmation and reorders token selection so external resumes require explicit confirmation even within the same session.
You are affected if you are using a version that falls within the vulnerable range and your application enables externally resumable partial pipelines (the allow_external_resume option).
social-auth-core is vulnerable to Cross-Site Request Forgery (CSRF) in versions 5.0.0 - 5.0.0.
Upgrade the social-auth-core library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant