CVE-2025-14546 is a medium severity CSRF vulnerability affecting the fastapi-sso package versions prior to 0.19.0. The vulnerability stems from improper handling of the OAuth state parameter during the authentication callback process. While the package’s get_login_url method generates a state parameter intended to prevent CSRF attacks, it fails to persist this state or bind it to the user's session context. Consequently, the verify_and_process method accepts the state parameter from the query string without verifying it against any stored or trusted value. This flaw allows a remote attacker to craft a malicious callback URL containing an attacker-controlled state parameter. If a victim user visits this URL, the attacker’s account can be linked to the victim’s internal account within the application. This undermines the integrity of the authentication flow, potentially allowing attackers to hijack or confuse user sessions, escalate privileges, or perform unauthorized actions under the victim’s identity. The vulnerability requires no prior authentication but does require user interaction (clicking or visiting a malicious link). The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:A/PR:L/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P) reflects network attack vector, low attack complexity, no authentication, and user interaction needed, with high impact on confidentiality and low impact on integrity and availability. No public exploits have been reported yet, but the risk remains significant for applications relying on fastapi-sso for OAuth SSO integration.

For European organizations, this vulnerability can lead to unauthorized linking of attacker accounts to legitimate user accounts, compromising the integrity of user authentication and session management. This can result in unauthorized access to sensitive internal resources, data leakage, or privilege escalation within enterprise applications using fastapi-sso. The impact is particularly critical for sectors handling sensitive personal data or regulated information, such as finance, healthcare, and government services. The vulnerability could also facilitate further attacks like session fixation or account takeover if combined with other weaknesses. Given the widespread adoption of OAuth-based SSO in European enterprises, exploitation could disrupt trust in authentication systems and lead to compliance violations under GDPR if personal data is exposed or misused. Although no known exploits exist currently, the ease of exploitation via social engineering (user interaction) increases the risk profile.

European organizations should immediately upgrade fastapi-sso to version 0.19.0 or later, where proper state parameter validation and session binding are implemented. Until upgrading, implement additional server-side checks to validate the OAuth state parameter against a securely stored value tied to the user's session. Employ strict Content Security Policy (CSP) headers and SameSite cookie attributes to reduce CSRF risks. Educate users to avoid clicking suspicious links, especially those purporting to be authentication callbacks. Conduct thorough security testing of OAuth flows to ensure state parameters are properly handled. Monitor authentication logs for unusual account linking or session anomalies. Consider implementing multi-factor authentication (MFA) to mitigate the impact of compromised sessions. Finally, maintain an incident response plan to quickly address any suspected exploitation.