OpenID Connect Authentication Extension Vulnerability in TYPO3
CVE-2025-24856

4.2MEDIUM

Key Information:

Vendor: Typo3
Status: Oidc
Vendor: CVE Published:; 16 March 2025

What is CVE-2025-24856?

A vulnerability has been identified in the OpenID Connect Authentication extension for TYPO3, prior to version 4.0.0. This defect in the account linking logic could potentially allow an attacker to exploit conditions for a pre-hijacking attack, which might lead to unauthorized account takeover. The attack requires the malicious actor to predict a user's email address and create a public frontend user account using that address before the user's initial login via OIDC. Additionally, this condition is exacerbated if the Identity Provider (IDP) returns the user's email address in the authentication response.

Affected Version(s)

oidc 0 < 4.0.0

References

https://typo3.org/security/advisory/typo3-ext-sa-2025-001

https://github.com/xperseguers/t3ext-oidc/commit/877e09f6...

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 16, 2025
Vulnerability Reserved
Jan 26, 2025

Typo3

What is CVE-2025-24856?

Affected Version(s)

References

CVSS V3.1

Timeline