Possible account takeover vulnerability in Mastodon due to external authentication providers
CVE-2024-25618
What is CVE-2024-25618?
Mastodon, a free and open-source social networking server based on the ActivityPub protocol, exposes a vulnerability related to its authentication process. When integrating with external authentication providers such as CAS, SAML, or OIDC, Mastodon permits the formation of new identities linked to existing users sharing the same email address. This configuration could facilitate unauthorized access if an external provider allows users to alter their registered email addresses. In such scenarios, a malicious actor might hijack an account upon the first login using an external provider, as the matching is conducted solely on the email address. The risk is particularly pronounced when using popular OIDC providers that may easily permit unverified email modifications, such as Microsoft Azure. It is recommended that users immediately upgrade to the patched versions, as outlined, to mitigate this emerging security concern.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
mastodon >= 4.2.0, < 4.2.6 < 4.2.0, 4.2.6
mastodon >= 4.1.0, < 4.1.14 < 4.1.0, 4.1.14
mastodon >= 4.0.0, < 4.0.14 < 4.0.0, 4.0.14
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved