CVE-2025-65431

NameCVE-2025-65431
DescriptionAn issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1123085

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
django-allauth (PTS)bullseye0.44.0+ds-1+deb11u1vulnerable
bookworm0.51.0-1vulnerable
forky, sid, trixie65.0.2-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
django-allauthsource(unstable)(unfixed)1123085

Notes

[trixie] - django-allauth <no-dsa> (Minor issue)
[bookworm] - django-allauth <no-dsa> (Minor issue)
[bullseye] - django-allauth <postponed> (Minor issue)
https://allauth.org/news/2025/10/django-allauth-65.13.0-released/
https://github.com/pennersr/django-allauth/commit/8feef46e0e07b25fc5594c8f268afa247ebc3412
Search for package or bug name: Reporting problems