label-studio-sso 6.0.2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the label-studio-sso package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Missing Authorization label-studio-sso is a Native JWT authentication for Label Studio OSS - simple and secure SSO integration Affected versions of this package are vulnerable to Missing Authorization due to missing validation in the SSO token API. The API does not restrict account creation to pre-registered users, allowing an attacker with a valid SSO token to create arbitrary new accounts and gain unauthorized access to the application without proper authorization checks. How to fix Missing Authorization? Upgrade `label-studio-sso` to version 6.0.8 or higher.	[,6.0.8)
M Cross-site Request Forgery (CSRF) label-studio-sso is a Native JWT authentication for Label Studio OSS - simple and secure SSO integration Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to an improper exemption in the `JWTSSOSessionAuthentication` mechanism that disables CSRF token validation. An attacker can exploit this by crafting malicious cross-site requests that trigger privileged actions in the application using the victim’s authenticated session, allowing unauthorized operations to be performed without the user’s consent. How to fix Cross-site Request Forgery (CSRF)? Upgrade `label-studio-sso` to version 6.0.3 or higher.	[,6.0.3)

Vulnerability

Vulnerable Version

Missing Authorization

label-studio-sso is a Native JWT authentication for Label Studio OSS - simple and secure SSO integration

Affected versions of this package are vulnerable to Missing Authorization due to missing validation in the SSO token API. The API does not restrict account creation to pre-registered users, allowing an attacker with a valid SSO token to create arbitrary new accounts and gain unauthorized access to the application without proper authorization checks.

How to fix Missing Authorization?

Upgrade label-studio-sso to version 6.0.8 or higher.

[,6.0.8)

Cross-site Request Forgery (CSRF)

label-studio-sso is a Native JWT authentication for Label Studio OSS - simple and secure SSO integration

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to an improper exemption in the JWTSSOSessionAuthentication mechanism that disables CSRF token validation. An attacker can exploit this by crafting malicious cross-site requests that trigger privileged actions in the application using the victim’s authenticated session, allowing unauthorized operations to be performed without the user’s consent.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade label-studio-sso to version 6.0.3 or higher.

[,6.0.3)

label-studio-sso@6.0.2 vulnerabilities

Native JWT authentication for Label Studio OSS - simple and secure SSO integration

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically