social-auth-core is vulnerable to Cross-Site Request Forgery (CSRF)
45
Medium Risk
The library implements OAuth, SAML, and partial-pipeline authentication across many provider backends. Several flows accept an authorization callback without binding it to the user's session: the twilio and loginradius backends do not validate a state parameter, partial pipeline resume is not tied to session ownership, and the SAML backend does not validate the response against the original AuthnRequest. An attacker can abuse these gaps to perform login CSRF, replay or inject SAML responses, and confuse account identities, leading to account takeover, and related backends such as vk, vend, and odnoklassniki also trust unverified callback data. The fix enforces callback state validation, binds partial pipeline resume to session ownership or explicit confirmation, validates the SAML InResponseTo value, and verifies returned user identities.
You are affected if you are using a version that falls within the vulnerable range.
social-auth-core is vulnerable to Cross-Site Request Forgery (CSRF) in versions 0.0.1 - 4.9.1.
Upgrade the social-auth-core library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant