Wiz
Vulnerability DatabaseCVE-2025-61783

CVE-2025-61783
Python vulnerability analysis and mitigation

Overview

Python Social Auth (social-auth-app-django) versions prior to 5.6.0 contain a vulnerability where user accounts could be associated by email even when the associate_by_email pipeline was not explicitly included. The vulnerability was discovered and disclosed on October 9, 2025, and is tracked as CVE-2025-61783. This security flaw affects the authentication mechanism in the Django social authentication framework (GitHub Advisory).

Technical details

The vulnerability stems from a concurrency workaround implemented in the create_user method within the DjangoUserMixin class in social_django/storage.py. When an IntegrityError occurs during user creation, the code would attempt to find and link to an existing user, bypassing the intended authentication controls. The vulnerability has been assigned a CVSS v4.0 base score of 6.3 (Moderate) with the vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. The issue is classified as CWE-303 (Incorrect Implementation of Authentication Algorithm) (GitHub Advisory, NVD).

Impact

The vulnerability could lead to account compromise when using third-party authentication services that do not validate provided email addresses or don't require unique email addresses. An attacker could potentially take over existing user accounts by registering with the same email address through an unverified third-party authentication provider (GitHub Advisory, Miggo).

Mitigation and workarounds

The vulnerability has been patched in version 5.6.0 of social-auth-app-django. The fix involves raising an AuthAlreadyAssociated exception instead of attempting to associate with existing users when creation fails. As a workaround, administrators can review the authentication service policy on email addresses, as many providers will not allow exploiting this vulnerability through their email validation requirements (GitHub Advisory, Red Hat).

Community reactions

The vulnerability was initially reported through multiple GitHub issues (#220, #231, and #634) highlighting concerns about the security implications of the automatic email association behavior. The community response led to the development and implementation of a security fix that was merged into the main branch on October 7, 2025 (GitHub PR).

Additional resources

SourceThis report was generated using AI

Related Python vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-67511CRITICAL9.6
  • PythonPython
  • cai-framework
NoNoDec 09, 2025
CVE-2025-66645HIGH7.5
  • PythonPython
  • nicegui
NoYesDec 09, 2025
GHSA-9rwj-6rc7-p77cHIGH7.3
  • PythonPython
  • langgraph-checkpoint-sqlite
NoYesDec 10, 2025
CVE-2025-67502MEDIUM5.4
  • PythonPython
  • taguette
NoYesDec 10, 2025
CVE-2025-67485MEDIUM5.3
  • PythonPython
  • mad-proxy
NoNoDec 09, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo