social-auth-core is vulnerable to Cross-Site Request Forgery (CSRF)
46
Medium Risk
The social-auth-core LINE and Shopify OAuth backends complete the login callback without validating the OAuth state parameter against the value stored in the session. The Shopify backend also never sends a state parameter when building its authorization URL, so the callback cannot be tied to the session that started the flow. An attacker can craft a callback request and trick a victim into completing it, logging the victim into an account chosen by the attacker. The fix sends a state value on the Shopify authorization request and validates the callback state in both backends before exchanging the authorization code.
You are affected if you are using a version that falls within the vulnerable range and your application uses the LINE or Shopify authentication backend.
social-auth-core is vulnerable to Cross-Site Request Forgery (CSRF) in versions 0.0.1 - 5.0.1.
Upgrade the social-auth-core library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant