Fabre

#1123085 django-allauth: CVE-2025-65430 CVE-2025-65431 #1123085

Package:: src:django-allauth

Source:: src:django-allauth

Submitter:: Salvatore Bonaccorso

Date:: 2025-12-16 19:35:03 UTC

Severity:: normal

Tags:

#1123085#5

Date:: 2025-12-16 19:32:15 UTC

From:

To:

Hi,

The following vulnerabilities were published for django-allauth.

CVE-2025-65430[0]:
| An issue was discovered in allauth-django before 65.13.0. IdP:
| marking a user as is_active=False after having handed tokens for
| that user while the account was still active had no effect. Fixed
| the access/refresh tokens are now rejected.


CVE-2025-65431[1]:
| An issue was discovered in allauth-django before 65.13.0. Both Okta
| and NetIQ were using preferred_username as the identifier for third-
| party provider accounts. That value may be mutable and should
| therefore be avoided for authorization decisions. The providers are
| now using sub instead.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-65430
https://www.cve.org/CVERecord?id=CVE-2025-65430
[1] https://security-tracker.debian.org/tracker/CVE-2025-65431
https://www.cve.org/CVERecord?id=CVE-2025-65431
[2] https://allauth.org/news/2025/10/django-allauth-65.13.0-released/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1123085 django-allauth: CVE-2025-65430 CVE-2025-65431 #1123085

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)