CVE-2025-65431

EUVD-2025-203376
An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA-ADPADP
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
Affected Products (NVD)
VendorProductVersion
allauthallauth
𝑥
< 65.13.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
django-allauth
bookworm
no-dsa
bullseye
postponed
forky
vulnerable
sid
vulnerable
trixie
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
django-allauth
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
plucky
ignored
questing
needs-triage
Common Weakness Enumeration
References
https://allauth.org/news/2025/10/django-allauth-65.13.0-released/