Race Condition Affecting fastapi-sso package, versions [,0.16.0)
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-FASTAPISSO-8445602
- published2 Dec 2024
- disclosed1 Dec 2024
- creditDmytro Smyk
Introduced: 1 Dec 2024
New CVE NOT AVAILABLE CWE-362 (opens in a new tab)How to fix?
Upgrade fastapi-sso to version 0.16.0 or higher.
Overview
fastapi-sso is a FastAPI plugin to enable SSO to most common providers (such as Facebook login, Google login and login via Microsoft Office 365 Account)
Affected versions of this package are vulnerable to Race Condition. When multiple concurrent login requests are processed simultaneously, the state shared between requests could allow one user to unintentionally obtain another user's access token and assume their identity. The vulnerability exists in the SSO login flow, where the provider instance state is not properly isolated between concurrent requests. This could be exploited in high concurrency scenarios by timing login requests precisely. The fix introduces async locking to ensure requests are processed sequentially and providers must be used within an async context manager.