CVE-2024-25618

Summary

CVE-2024-25618 is a medium severity vulnerability affecting the open-source social network server Mastodon, which uses ActivityPub. The issue lies in the way Mastodon handles new identities from external authentication providers, such as CAS, SAML, and OIDC. When a user logs in through an external provider for the first time, Mastodon checks the e-mail address to find an existing account. However, if the authentication provider allows changing the e-mail address, an attacker can hijack the Mastodon account. All users logging in through external authentication providers are vulnerable. Notable OIDC providers, like Microsoft Azure, can make it easy to accidentally allow unverified e-mail changes. The vulnerability has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade as soon as possible, and there are no known workarounds for this issue.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.