CVE-2025-61783: Python Social Auth - Django has unsafe account association
(updated )
Upon authentication, the user could be associated by e-mail even if the associate_by_email pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn’t require unique e-mail addresses.
References
- github.com/advisories/GHSA-wv4w-6qv2-qqfg
- github.com/python-social-auth/social-app-django
- github.com/python-social-auth/social-app-django/commit/10c80e2ebabeccd4e9c84ad0e16e1db74148ed4c
- github.com/python-social-auth/social-app-django/issues/220
- github.com/python-social-auth/social-app-django/issues/231
- github.com/python-social-auth/social-app-django/issues/634
- github.com/python-social-auth/social-app-django/pull/803
- github.com/python-social-auth/social-app-django/security/advisories/GHSA-wv4w-6qv2-qqfg
- nvd.nist.gov/vuln/detail/CVE-2025-61783
Code Behaviors & Features
Detect and mitigate CVE-2025-61783 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →