EUVD-2025-21169

| CVE-2025-43856 HIGH
2025-07-11 [email protected]
7.3
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A

Lifecycle Timeline

3
EUVD ID Assigned
Mar 16, 2026 - 08:18 euvd
EUVD-2025-21169
Analysis Generated
Mar 16, 2026 - 08:18 vuln.today
CVE Published
Jul 11, 2025 - 17:15 nvd
HIGH 7.3

Tags

Google CSRF

Description

immich is a high performance self-hosted photo and video management solution. Prior to 1.132.0, immich is vulnerable to account hijacking through oauth2, because the state parameter is not being checked. The oauth2 state parameter is similar to a csrf token, so when the user starts the login flow this unpredictable token is generated and somehow saved in the browser session and passed to the identity provider, which will return the state parameter when redirecting the user back to immich. Before the user is logged in that parameter needs to be verified to make sure the login was actively initiated by the user in this browser session. On it's own, this wouldn't be too bad, but when immich uses the /user-settings page as a redirect_uri, it will automatically link the accounts if the user was already logged in. This means that if someone has an immich instance with a public oauth provider (like google), an attacker can - for example - embed a hidden iframe in a webpage or even just send the victim a forged oauth login url with a code that logs the victim into the attackers oauth account and redirects back to immich and links the accounts. After this, the attacker can log into the victims account using their own oauth credentials. This vulnerability is fixed in 1.132.0.

Analysis

Immich versions prior to 1.132.0 are vulnerable to account hijacking through OAuth2 state parameter validation bypass (CWE-303). An attacker can perform unauthorized account linkage by exploiting missing state parameter verification, allowing them to hijack victim accounts through crafted OAuth login URLs or hidden iframes embedded in malicious webpages. This vulnerability is particularly dangerous when OAuth providers are publicly accessible, and affected users can be compromised without direct interaction if the /user-settings redirect_uri is configured.

Technical Context

Immich's OAuth2 implementation fails to validate the 'state' parameter, a critical CSRF-protection mechanism defined in RFC 6749. The state parameter should be unpredictably generated, stored in the user's session, transmitted to the identity provider, and verified upon callback—Immich skips the verification step. When /user-settings is used as the redirect_uri, the vulnerability becomes critical because this endpoint auto-links OAuth accounts if the user is already authenticated, creating a confused-deputy scenario where an attacker's OAuth credentials become linked to the victim's Immich account. This affects CPE: cpe:2.3:a:immich:immich:*:*:*:*:*:*:*:* versions <1.132.0. The root cause is CWE-303: Incorrect Implementation of Authentication Algorithm, specifically the omission of state parameter validation in the OAuth2 callback handler.

Affected Products

Immich (< 1.132.0)

Priority Score

37
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: 0

Share

EUVD-2025-21169 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy