CVE-2026-25221: Oauth Missing State Parameter Validation
The OAuth callback fails to validate the `state` parameter. It retrieves the `code` parameter but does not fetch or check a `state` parameter. This missing verification allows an attacker to conduct a Login Cross-Site Request Forgery (CSRF) attack by supplying their own authorization code. Always fetch and validate `state`.
greprules fetch cve-2026-25221-oauth-missing-state-parameter-validation --engine opengrepDescription
The OAuth callback fails to validate the `state` parameter. It retrieves the `code` parameter but does not fetch or check a `state` parameter. This missing verification allows an attacker to conduct a Login Cross-Site Request Forgery (CSRF) attack by supplying their own authorization code. Always fetch and validate `state`.
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.