fastapi-sso@0.7.2 vulnerabilities

FastAPI plugin to enable SSO to most common providers (such as Facebook login, Google login and login via Microsoft Office 365 Account)

  • latest version

    0.17.0

  • latest non vulnerable version

  • first published

    3 years ago

  • latest version published

    1 months ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the fastapi-sso package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Race Condition

    fastapi-sso is a FastAPI plugin to enable SSO to most common providers (such as Facebook login, Google login and login via Microsoft Office 365 Account)

    Affected versions of this package are vulnerable to Race Condition. When multiple concurrent login requests are processed simultaneously, the state shared between requests could allow one user to unintentionally obtain another user's access token and assume their identity. The vulnerability exists in the SSO login flow, where the provider instance state is not properly isolated between concurrent requests. This could be exploited in high concurrency scenarios by timing login requests precisely. The fix introduces async locking to ensure requests are processed sequentially and providers must be used within an async context manager.

    How to fix Race Condition?

    Upgrade fastapi-sso to version 0.16.0 or higher.

    [,0.16.0)