CVE-2025-65430

NameCVE-2025-65430
DescriptionAn issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1123085

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
django-allauth (PTS)bullseye0.44.0+ds-1+deb11u1vulnerable
bookworm0.51.0-1vulnerable
trixie65.0.2-1vulnerable
forky, sid65.15.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
django-allauthsource(unstable)65.15.0-11123085

Notes

[trixie] - django-allauth <no-dsa> (Minor issue; can be fixed via poin release)
[bookworm] - django-allauth <no-dsa> (Minor issue; can be fixed via poin release)
[bullseye] - django-allauth <postponed> (Fix along with next DLA)
https://allauth.org/news/2025/10/django-allauth-65.13.0-released/
Search for package or bug name: Reporting problems