关键信息 漏洞详情 漏洞类型: 1-Click Account Takeover CVSS Base Score: 5.7 CVE ID: CVE-2025-68158 受影响版本: <= v1.6.5 修复版本: v1.6.5 漏洞描述 漏洞原因: Cache-backed state/request-token storage is not tied to the initiating user session, leading to CSRF vulnerabilities. 影响: Attackers can initiate an authentication flow or perform a GET request with valid state and grant codes to link the attacker's SSO account to the victim's application account. CVSS v3 Base Metrics Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: None 修复建议 方法 1: Store the state in the session to tie it to the user's session. 方法 2: Hash the session ID (or another per-user secret from the session) into the cache key. 证明概念 步骤: 1. Start an SSO OAuth flow and stop it before the callback. 2. Trick a logged-in user to perform a GET request with attacker's state and grant code. 3. Link attacker's SSO account to the victim's application account.