{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-61783", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-09-30T19:43:49.902Z", "datePublished": "2025-10-09T20:57:20.734Z", "dateUpdated": "2025-10-15T19:49:22.392Z"}, "containers": {"cna": {"title": "Python Social Auth - Django has unsafe account association", "problemTypes": [{"descriptions": [{"cweId": "CWE-303", "lang": "en", "description": "CWE-303: Incorrect Implementation of Authentication Algorithm", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-wv4w-6qv2-qqfg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-wv4w-6qv2-qqfg"}, {"name": "https://github.com/python-social-auth/social-app-django/issues/220", "tags": ["x_refsource_MISC"], "url": "https://github.com/python-social-auth/social-app-django/issues/220"}, {"name": "https://github.com/python-social-auth/social-app-django/issues/231", "tags": ["x_refsource_MISC"], "url": "https://github.com/python-social-auth/social-app-django/issues/231"}, {"name": "https://github.com/python-social-auth/social-app-django/issues/634", "tags": ["x_refsource_MISC"], "url": "https://github.com/python-social-auth/social-app-django/issues/634"}, {"name": "https://github.com/python-social-auth/social-app-django/pull/803", "tags": ["x_refsource_MISC"], "url": "https://github.com/python-social-auth/social-app-django/pull/803"}, {"name": "https://github.com/python-social-auth/social-app-django/commit/10c80e2ebabeccd4e9c84ad0e16e1db74148ed4c", "tags": ["x_refsource_MISC"], "url": "https://github.com/python-social-auth/social-app-django/commit/10c80e2ebabeccd4e9c84ad0e16e1db74148ed4c"}], "affected": [{"vendor": "python-social-auth", "product": "social-app-django", "versions": [{"version": "< 5.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-10-09T20:57:20.734Z"}, "descriptions": [{"lang": "en", "value": "Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the `associate_by_email` pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses. Version 5.6.0 contains a patch. As a workaround, review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability."}], "source": {"advisory": "GHSA-wv4w-6qv2-qqfg", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/python-social-auth/social-app-django/issues/634", "tags": ["exploit"]}, {"url": "https://github.com/python-social-auth/social-app-django/issues/231", "tags": ["exploit"]}, {"url": "https://github.com/python-social-auth/social-app-django/issues/220", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-15T19:49:15.864104Z", "id": "CVE-2025-61783", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T19:49:22.392Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-61783", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-15T19:49:15.864104Z"}}}], "references": [{"url": "https://github.com/python-social-auth/social-app-django/issues/634", "tags": ["exploit"]}, {"url": "https://github.com/python-social-auth/social-app-django/issues/231", "tags": ["exploit"]}, {"url": "https://github.com/python-social-auth/social-app-django/issues/220", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T19:48:58.459Z"}}], "cna": {"title": "Python Social Auth - Django has unsafe account association", "source": {"advisory": "GHSA-wv4w-6qv2-qqfg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "python-social-auth", "product": "social-app-django", "versions": [{"status": "affected", "version": "< 5.6.0"}]}], "references": [{"url": "https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-wv4w-6qv2-qqfg", "name": "https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-wv4w-6qv2-qqfg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/python-social-auth/social-app-django/issues/220", "name": "https://github.com/python-social-auth/social-app-django/issues/220", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/python-social-auth/social-app-django/issues/231", "name": "https://github.com/python-social-auth/social-app-django/issues/231", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/python-social-auth/social-app-django/issues/634", "name": "https://github.com/python-social-auth/social-app-django/issues/634", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/python-social-auth/social-app-django/pull/803", "name": "https://github.com/python-social-auth/social-app-django/pull/803", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/python-social-auth/social-app-django/commit/10c80e2ebabeccd4e9c84ad0e16e1db74148ed4c", "name": "https://github.com/python-social-auth/social-app-django/commit/10c80e2ebabeccd4e9c84ad0e16e1db74148ed4c", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the `associate_by_email` pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses. Version 5.6.0 contains a patch. As a workaround, review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-303", "description": "CWE-303: Incorrect Implementation of Authentication Algorithm"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-10-09T20:57:20.734Z"}}}, "cveMetadata": {"cveId": "CVE-2025-61783", "state": "PUBLISHED", "dateUpdated": "2025-10-15T19:49:22.392Z", "dateReserved": "2025-09-30T19:43:49.902Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-10-09T20:57:20.734Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the `associate_by_email` pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses. Version 5.6.0 contains a patch. As a workaround, review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability."}], "id": "CVE-2025-61783", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-10-09T21:15:40.127", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/python-social-auth/social-app-django/commit/10c80e2ebabeccd4e9c84ad0e16e1db74148ed4c"}, {"source": "security-advisories@github.com", "url": "https://github.com/python-social-auth/social-app-django/issues/220"}, {"source": "security-advisories@github.com", "url": "https://github.com/python-social-auth/social-app-django/issues/231"}, {"source": "security-advisories@github.com", "url": "https://github.com/python-social-auth/social-app-django/issues/634"}, {"source": "security-advisories@github.com", "url": "https://github.com/python-social-auth/social-app-django/pull/803"}, {"source": "security-advisories@github.com", "url": "https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-wv4w-6qv2-qqfg"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/python-social-auth/social-app-django/issues/220"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/python-social-auth/social-app-django/issues/231"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/python-social-auth/social-app-django/issues/634"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-303"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "social-app-django: Python Social Auth - Django has unsafe account association", "id": "2402951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402951"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-303", "details": ["A flaw was found in Python Social Auth, a social authentication and registration framework. During authentication, a user account could be incorrectly associated by e-mail even when the associate_by_email pipeline was not explicitly enabled. This behavior could allow account takeover if a third-party authentication provider fails to properly validate or enforce uniqueness of e-mail addresses."], "mitigation": {"lang": "en:us", "value": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.\nTo reduce the risk, administrators should restrict authentication to trusted identity providers that enforce verified and unique e-mail addresses, and ensure that the associate_by_email pipeline is disabled or tightly controlled. Limiting external providers and reviewing account-linking logic can effectively reduce the risk of unintended account association or takeover."}, "name": "CVE-2025-61783", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "python3.11-social-auth-app-django", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "python3x-social-auth-app-django", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "python-social-auth-app-django", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "python-social-auth-app-django", "product_name": "Red Hat Satellite 6"}], "public_date": "2025-10-09T20:57:20Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-61783\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-61783\nhttps://github.com/python-social-auth/social-app-django/commit/10c80e2ebabeccd4e9c84ad0e16e1db74148ed4c\nhttps://github.com/python-social-auth/social-app-django/issues/220\nhttps://github.com/python-social-auth/social-app-django/issues/231\nhttps://github.com/python-social-auth/social-app-django/issues/634\nhttps://github.com/python-social-auth/social-app-django/pull/803\nhttps://github.com/python-social-auth/social-app-django/security/advisories/GHSA-wv4w-6qv2-qqfg"], "statement": "This issue is rated Moderate rather than Important because exploitation depends on multiple external conditions and is limited in scope. The vulnerability does not introduce a direct code execution or privilege escalation vector within Python Social Auth itself; instead, it relies on insecure behavior from third-party identity providers that fail to validate or enforce unique e-mail addresses. In environments where reputable authentication services (e.g., Google, GitHub, Microsoft) are used\u2014each enforcing verified and unique e-mails\u2014the risk is effectively negligible. The flaw becomes exploitable only under misconfigured or untrusted providers, and even then, it merely enables potential account association or takeover rather than full compromise of the underlying application or system.", "threat_severity": "Moderate"}

{"created": "2025-10-10T11:17:32.400609+00:00", "updated": "2025-10-10T11:17:32.400635+00:00", "vendors": ["python-social-auth", "python-social-auth$PRODUCT$social-app-django"]}