Authorization Bypass Through User-Controlled Key Affecting causal/oidc package, versions >=3.0.0, <4.0.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-CAUSALOIDC-8664937
- published29 Jan 2025
- disclosed28 Jan 2025
- creditHannes Lau
Introduced: 28 Jan 2025
NewCVE-2025-24856 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade causal/oidc to version 4.0.0 or higher.
Overview
Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the account linking logic. An attacker can anticipate and use the email address of a user to register a public frontend user account before the user's first OIDC login, leading to account takeover.
Note:
This is only exploitable if the IDP returns the field email containing the email address of the user.