The current implementation does not support the `state` parameter in the oAuth2 authorization request it sends to the Github AS when attempting to authorize the plugin for a user.  As such, it is vulnerable to CSRF attacks against redirect URI as described in [1]

 The state parameter is supported by the Github API [2] , so support could be added in the github-oauth-plugin also.

[1] https://tools.ietf.org/html/rfc6819#section-4.4.1.8
[2] https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/#web-application-flow