CVE & CISA-KEV Catalog

CVE-2025-43856

UNSCORED

Description

immich is a high performance self-hosted photo and video management solution. Prior to 1.132.0, immich is vulnerable to account hijacking through oauth2, because the state parameter is not being checked. The oauth2 state parameter is similar to a csrf token, so when the user starts the login flow this unpredictable token is generated and somehow saved in the browser session and passed to the identity provider, which will return the state parameter when redirecting the user back to immich. Before the user is logged in that parameter needs to be verified to make sure the login was actively initiated by the user in this browser session. On it's own, this wouldn't be too bad, but when immich uses the /user-settings page as a redirect_uri, it will automatically link the accounts if the user was already logged in. This means that if someone has an immich instance with a public oauth provider (like google), an attacker can - for example - embed a hidden iframe in a webpage or even just send the victim a forged oauth login url with a code that logs the victim into the attackers oauth account and redirects back to immich and links the accounts. After this, the attacker can log into the victims account using their own oauth credentials. This vulnerability is fixed in 1.132.0.

How to fix

No published remediation has been found for this vulnerability's affected products yet.

Mitigation guidance may be in the linked vendor advisories in the References section below.

CVSS v3.1 Vector

No CVSS vector data available.

Exploit Intelligence

0.33%probability of exploitation in 30 days
24thpercentile

Low risk: more likely to be exploited than 24% of all known CVEs.

References

Other references1
Embed a live status badge for CVE-2025-43856
CVE-2025-43856 severity badge

Markdown

[![CVE-2025-43856](https://tridentstack.com/cve/badge/CVE-2025-43856.svg)](https://tridentstack.com/cve/CVE-2025-43856)

HTML

<a href="https://tridentstack.com/cve/CVE-2025-43856"><img src="https://tridentstack.com/cve/badge/CVE-2025-43856.svg" alt="CVE-2025-43856"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-07-15.