CVE-2025-65431

EUVD-2025-203376
An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
allauthallauth
𝑥
< 65.13.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
django-allauth
bookworm
vulnerable
bullseye
vulnerable
forky
65.15.0-1
fixed
sid
65.15.0-1
fixed
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
django-allauth
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
plucky
ignored
questing
needs-triage
Common Weakness Enumeration
References
https://allauth.org/news/2025/10/django-allauth-65.13.0-released/