CVE-2024-25618: Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (C...

Description

Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if the authentication provider allows changing the e-mail address or multiple authentication providers are configured. When a user logs in through an external authentication provider for the first time, Mastodon checks the e-mail address passed by the provider to find an existing account. However, using the e-mail address alone means that if the authentication provider allows changing the e-mail address of an account, the Mastodon account can immediately be hijacked. All users logging in through external authentication providers are affected. The severity is medium, as it also requires the external authentication provider to misbehave. However, some well-known OIDC providers (like Microsoft Azure) make it very easy to accidentally allow unverified e-mail changes. Moreover, OpenID Connect also allows dynamic client registration. This issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Metrics

CVSS 3.1

7.4/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Probability

0.48%

37.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Joinmastodon	Mastodon	< 3.5.18
Joinmastodon	Mastodon	>= 4.0.0, < 4.0.14
Joinmastodon	Mastodon	>= 4.1.0, < 4.1.14
Joinmastodon	Mastodon	>= 4.2.0, < 4.2.6

References

https://github.com/mastodon/mastodon/commit/b31af34c9716338e4a32a62cc812d1ca59e88d15Patch
https://github.com/mastodon/mastodon/security/advisories/GHSA-vm39-j3vx-pch3Exploit, Vendor Advisory
https://github.com/mastodon/mastodon/commit/b31af34c9716338e4a32a62cc812d1ca59e88d15Patch
https://github.com/mastodon/mastodon/security/advisories/GHSA-vm39-j3vx-pch3Exploit, Vendor Advisory

Timeline

Published: Feb 14, 2024
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2024-25618?

Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if the authentication provider allows changing the e-mail address or multiple authentication providers are configured. When a user logs in through an external authentication provider for the first time, Mastodon checks the e-mail address passed by the provider to find an existing account. However, using the e-mail address alone means that if the authentication provider allows changing the e-mail address of an account, the Mastodon account can immediately be hijacked. All users logging in through external authentication providers are affected. The severity is medium, as it also requires the external authentication provider to misbehave. However, some well-known OIDC providers (like Microsoft Azure) make it very easy to accidentally allow unverified e-mail changes. Moreover, OpenID Connect also allows dynamic client registration. This issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workarounds for this vulnerability.

How severe is CVE-2024-25618?

CVE-2024-25618 has a CVSS score of 7.4/10 (HIGH severity). The EPSS model estimates a 0.48% probability of exploitation in the next 30 days.

How do I fix CVE-2024-25618?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.