social-auth-app-django is vulnerable to Cross-Site Request Forgery (CSRF)
59
Medium Risk
The Django social authentication views expose login initiation and externally resumed partial pipelines. Before the fix, the login begin view accepted GET requests by default, so a cross-site request could silently start a social login in a victim's browser and drive their authentication flow (login CSRF). The same release also adds a server-generated nonce confirmation page that must be submitted before an externally resumed partial pipeline continues, closing a related forged or replayed resume path. The fix makes the login views always require POST and renders the confirmation page for external partial-pipeline resumes.
You are affected if you are using a version that falls within the vulnerable range and your application exposes the social authentication login or partial-pipeline resume endpoints.
social-auth-app-django is vulnerable to Cross-Site Request Forgery (CSRF) in versions 0.0.1 - 5.9.0.
Upgrade the social-auth-app-django library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant