Authentication Flaw in Ash Framework by Alembic
CVE-2025-32782

5.3MEDIUM

Key Information:

Vendor: Team-alembic
Status: Ash Authentication
Vendor: CVE Published:; 15 April 2025

🔔 Create Team-alembic Vulnerability Alert

What is CVE-2025-32782?

The Ash Authentication framework contains a vulnerability in its account creation process. The implementation employs a GET request triggered by a confirmation link sent via email. This behavior can be exploited by attackers, as some email clients and security tools may automatically follow such links, unintentionally confirming account creations. As a result, an attacker can register an account using another user's email address, which could lead to the victim's email client auto-confirming the new account. It’s important to note that this flaw is limited solely to the account confirmation of new accounts and does not grant access to existing accounts or private data. The issue has been addressed in version 4.7.0 of the product.

Affected Version(s)

ash_authentication < 4.7.0

References

https://github.com/team-alembic/ash_authentication/securi...

x_refsource_CONFIRM

https://github.com/team-alembic/ash_authentication/commit...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2025
Vulnerability Reserved
Apr 10, 2025

CVE-2025-32782 Data

JSON