{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-43856", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-04-17T20:07:08.555Z", "datePublished": "2025-07-11T17:10:52.423Z", "dateUpdated": "2025-07-11T18:13:00.477Z"}, "containers": {"cna": {"title": "immich allows account hijacking through oauth2", "problemTypes": [{"descriptions": [{"cweId": "CWE-303", "lang": "en", "description": "CWE-303: Incorrect Implementation of Authentication Algorithm", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/immich-app/immich/security/advisories/GHSA-3832-6r8h-9cfm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/immich-app/immich/security/advisories/GHSA-3832-6r8h-9cfm"}], "affected": [{"vendor": "immich-app", "product": "immich", "versions": [{"version": "< 1.132.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-11T17:10:52.423Z"}, "descriptions": [{"lang": "en", "value": "immich is a high performance self-hosted photo and video management solution. Prior to 1.132.0, immich is vulnerable to account hijacking through oauth2, because the state parameter is not being checked. The oauth2 state parameter is similar to a csrf token, so when the user starts the login flow this unpredictable token is generated and somehow saved in the browser session and passed to the identity provider, which will return the state parameter when redirecting the user back to immich. Before the user is logged in that parameter needs to be verified to make sure the login was actively initiated by the user in this browser session. On it's own, this wouldn't be too bad, but when immich uses the /user-settings page as a redirect_uri, it will automatically link the accounts if the user was already logged in. This means that if someone has an immich instance with a public oauth provider (like google), an attacker can - for example - embed a hidden iframe in a webpage or even just send the victim a forged oauth login url with a code that logs the victim into the attackers oauth account and redirects back to immich and links the accounts. After this, the attacker can log into the victims account using their own oauth credentials. This vulnerability is fixed in 1.132.0."}], "source": {"advisory": "GHSA-3832-6r8h-9cfm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-11T18:12:48.333486Z", "id": "CVE-2025-43856", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-11T18:13:00.477Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-43856", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-11T18:12:48.333486Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-11T18:12:53.047Z"}}], "cna": {"title": "immich allows account hijacking through oauth2", "source": {"advisory": "GHSA-3832-6r8h-9cfm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "immich-app", "product": "immich", "versions": [{"status": "affected", "version": "< 1.132.0"}]}], "references": [{"url": "https://github.com/immich-app/immich/security/advisories/GHSA-3832-6r8h-9cfm", "name": "https://github.com/immich-app/immich/security/advisories/GHSA-3832-6r8h-9cfm", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "immich is a high performance self-hosted photo and video management solution. Prior to 1.132.0, immich is vulnerable to account hijacking through oauth2, because the state parameter is not being checked. The oauth2 state parameter is similar to a csrf token, so when the user starts the login flow this unpredictable token is generated and somehow saved in the browser session and passed to the identity provider, which will return the state parameter when redirecting the user back to immich. Before the user is logged in that parameter needs to be verified to make sure the login was actively initiated by the user in this browser session. On it's own, this wouldn't be too bad, but when immich uses the /user-settings page as a redirect_uri, it will automatically link the accounts if the user was already logged in. This means that if someone has an immich instance with a public oauth provider (like google), an attacker can - for example - embed a hidden iframe in a webpage or even just send the victim a forged oauth login url with a code that logs the victim into the attackers oauth account and redirects back to immich and links the accounts. After this, the attacker can log into the victims account using their own oauth credentials. This vulnerability is fixed in 1.132.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-303", "description": "CWE-303: Incorrect Implementation of Authentication Algorithm"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-11T17:10:52.423Z"}}}, "cveMetadata": {"cveId": "CVE-2025-43856", "state": "PUBLISHED", "dateUpdated": "2025-07-11T18:13:00.477Z", "dateReserved": "2025-04-17T20:07:08.555Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-07-11T17:10:52.423Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "immich is a high performance self-hosted photo and video management solution. Prior to 1.132.0, immich is vulnerable to account hijacking through oauth2, because the state parameter is not being checked. The oauth2 state parameter is similar to a csrf token, so when the user starts the login flow this unpredictable token is generated and somehow saved in the browser session and passed to the identity provider, which will return the state parameter when redirecting the user back to immich. Before the user is logged in that parameter needs to be verified to make sure the login was actively initiated by the user in this browser session. On it's own, this wouldn't be too bad, but when immich uses the /user-settings page as a redirect_uri, it will automatically link the accounts if the user was already logged in. This means that if someone has an immich instance with a public oauth provider (like google), an attacker can - for example - embed a hidden iframe in a webpage or even just send the victim a forged oauth login url with a code that logs the victim into the attackers oauth account and redirects back to immich and links the accounts. After this, the attacker can log into the victims account using their own oauth credentials. This vulnerability is fixed in 1.132.0."}, {"lang": "es", "value": "immich es una soluci\u00f3n de gesti\u00f3n de fotos y v\u00eddeos autoalojada de alto rendimiento. En versiones anteriores a la versi\u00f3n 1.132.0, immich era vulnerable al secuestro de cuentas mediante OAuth2, ya que no se verificaba el par\u00e1metro de estado. Este par\u00e1metro de estado de OAuth2 es similar a un token CSRF; por lo tanto, cuando el usuario inicia el flujo de inicio de sesi\u00f3n, se genera este token impredecible, que se guarda de alguna manera en la sesi\u00f3n del navegador y se transmite al proveedor de identidad, que devolver\u00e1 el par\u00e1metro de estado al redirigir al usuario de vuelta a immich. Antes de que el usuario inicie sesi\u00f3n, es necesario verificar dicho par\u00e1metro para garantizar que el usuario inici\u00f3 el inicio de sesi\u00f3n activamente en esta sesi\u00f3n del navegador. Por s\u00ed solo, esto no ser\u00eda tan grave, pero cuando immich usa la p\u00e1gina /user-settings como redirect_uri, vincular\u00e1 autom\u00e1ticamente las cuentas si el usuario ya ha iniciado sesi\u00f3n. Esto significa que si alguien tiene una instancia de immich con un proveedor p\u00fablico de OAuth (como Google), un atacante puede, por ejemplo, incrustar un iframe oculto en una p\u00e1gina web o incluso enviar a la v\u00edctima una URL de inicio de sesi\u00f3n de OAuth falsificada con un c\u00f3digo que inicia sesi\u00f3n en la cuenta de OAuth del atacante, redirige a immich y vincula las cuentas. Despu\u00e9s, el atacante puede iniciar sesi\u00f3n en la cuenta de la v\u00edctima con sus propias credenciales de OAuth. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 1.132.0."}], "id": "CVE-2025-43856", "lastModified": "2025-07-15T13:14:49.980", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-07-11T17:15:36.877", "references": [{"source": "[email protected]", "url": "https://github.com/immich-app/immich/security/advisories/GHSA-3832-6r8h-9cfm"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-303"}], "source": "[email protected]", "type": "Primary"}]}

{}