CVE-2025-43856 is a high-severity vulnerability affecting immich, a self-hosted photo and video management solution, in versions prior to 1.132.0. The root cause is an incorrect implementation of the OAuth2 authentication flow, specifically the failure to verify the 'state' parameter during the OAuth2 login process. The 'state' parameter is intended to act as a CSRF token, ensuring that the login request was initiated by the legitimate user in the current browser session. However, immich does not validate this parameter properly. Furthermore, immich uses the /user-settings page as the redirect URI, which automatically links accounts if the user is already logged in. This flaw enables an attacker to craft a malicious OAuth login URL or embed a hidden iframe that initiates an OAuth login flow with the attacker’s OAuth credentials. When the victim follows this link or visits the malicious page, immich links the victim’s account to the attacker’s OAuth account without proper verification. Consequently, the attacker can subsequently log into the victim’s immich account using their own OAuth credentials, effectively hijacking the victim’s account. This vulnerability is classified under CWE-303 (Incorrect Implementation of Authentication Algorithm). The CVSS 4.0 score is 7.3 (high severity), reflecting network attack vector, low attack complexity, partial privileges required, user interaction needed, and high impact on confidentiality, integrity, and availability. No known exploits are reported in the wild yet. The issue is resolved in immich version 1.132.0.

For European organizations using immich for managing sensitive photo and video content, this vulnerability poses a significant risk of unauthorized account takeover. Attackers exploiting this flaw can gain access to private media, potentially leading to data leakage, privacy violations, and reputational damage. Since immich is self-hosted, organizations may have varying levels of exposure depending on their deployment configurations, especially if the OAuth provider is publicly accessible (e.g., Google). The automatic linking of accounts without proper state validation increases the risk of cross-site attacks, enabling attackers to bypass authentication controls. This can disrupt business operations, compromise user trust, and lead to regulatory non-compliance under GDPR due to unauthorized access to personal data. The requirement for user interaction (e.g., clicking a malicious link) means phishing or social engineering campaigns could be used to trigger exploitation. The lack of known exploits in the wild suggests a window of opportunity for proactive mitigation before widespread abuse occurs.

1. Upgrade immich instances to version 1.132.0 or later, where the vulnerability is fixed by proper validation of the OAuth2 state parameter. 2. If immediate upgrade is not possible, implement additional access controls on the OAuth redirect URI endpoints to restrict requests to trusted origins and enforce strict session management. 3. Disable or restrict public OAuth providers if not necessary, or configure OAuth providers to require explicit user consent on each login to reduce automatic linking risks. 4. Monitor OAuth login flows and user account linking events for anomalies, such as unexpected OAuth account associations or login attempts from unusual IP addresses. 5. Educate users about phishing risks and suspicious links that could trigger unauthorized OAuth login flows. 6. Implement web application firewall (WAF) rules to detect and block suspicious OAuth login requests or iframe embedding attempts targeting immich endpoints. 7. Regularly audit and review OAuth configurations and session management policies to ensure compliance with best practices.