Cross-site Request Forgery (CSRF) Affecting label-studio-sso package, versions [,6.0.3)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Cross-site Request Forgery (CSRF) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PYTHON-LABELSTUDIOSSO-14172421
- published4 Dec 2025
- disclosed2 Dec 2025
- creditUnknown
Introduced: 2 Dec 2025
New CVE NOT AVAILABLE CWE-352 (opens in a new tab)How to fix?
Upgrade label-studio-sso to version 6.0.3 or higher.
Overview
label-studio-sso is a Native JWT authentication for Label Studio OSS - simple and secure SSO integration
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to an improper exemption in the JWTSSOSessionAuthentication mechanism that disables CSRF token validation. An attacker can exploit this by crafting malicious cross-site requests that trigger privileged actions in the application using the victim’s authenticated session, allowing unauthorized operations to be performed without the user’s consent.