CVE-2025-68158 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2025-68158 Interim 1 1 2026-03-05T00:25:53Z current 2026-03-05T00:25:53Z 2026-03-05T00:25:53Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2025-68158 Authlib is a Python library which builds OAuth and OpenID Connect servers. In version 1.6.5 and prior, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the caller's session altogether. This issue has been patched in version 1.6.6. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Module for Python 3 15 SP7 SUSE Linux Enterprise Module for Python 3 15 SP7 SUSE Linux Enterprise Server 15 SP6-LTSS SUSE Linux Enterprise Module for Python 3 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP6 SUSE Linux Enterprise Module for Python 3 15 SP7 openSUSE Leap 15.6 openSUSE Leap 16.0 openSUSE Tumbleweed python-Authlib python311-Authlib python311-Authlib-1.3.1-150600.3.14.1 python311-Authlib-1.6.6-1.1 python312-Authlib-1.6.6-1.1 python313-Authlib-1.5.2-bp160.2.1 python313-Authlib-1.6.6-1.1 python313-Authlib-1.5.2-bp160.2.1 as a component of openSUSE Leap 16.0 python311-Authlib-1.6.6-1.1 as a component of openSUSE Tumbleweed python312-Authlib-1.6.6-1.1 as a component of openSUSE Tumbleweed python313-Authlib-1.6.6-1.1 as a component of openSUSE Tumbleweed python311-Authlib-1.3.1-150600.3.14.1 as a component of SUSE Linux Enterprise Module for Python 3 15 SP7 python311-Authlib-1.3.1-150600.3.14.1 as a component of openSUSE Leap 15.6 python311-Authlib as a component of SUSE Linux Enterprise Module for Python 3 15 SP7 python-Authlib as a component of SUSE Linux Enterprise Module for Python 3 15 SP7 python311-Authlib as a component of SUSE Linux Enterprise Server 15 SP6-LTSS python-Authlib as a component of SUSE Linux Enterprise Server 15 SP6-LTSS python311-Authlib as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP6 python-Authlib as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP6 python311-Authlib as a component of openSUSE Leap 15.6 python-Authlib as a component of openSUSE Leap 15.6 Authlib is a Python library which builds OAuth and OpenID Connect servers. In version 1.6.5 and prior, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the caller's session altogether. This issue has been patched in version 1.6.6. CVE-2025-68158 openSUSE Leap 16.0:python313-Authlib-1.5.2-bp160.2.1 openSUSE Tumbleweed:python311-Authlib-1.6.6-1.1 openSUSE Tumbleweed:python312-Authlib-1.6.6-1.1 openSUSE Tumbleweed:python313-Authlib-1.6.6-1.1 SUSE Linux Enterprise Module for Python 3 15 SP7:python311-Authlib-1.3.1-150600.3.14.1 openSUSE Leap 15.6:python311-Authlib-1.3.1-150600.3.14.1 moderate 5.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N