CVE-2024-25618: 
NixOS vulnerability analysis and mitigation

Mastodon, a free open-source social network server based on ActivityPub, was found to contain a vulnerability (CVE-2024-25618) that affects its authentication system. The vulnerability was discovered by Dominik George and Pingu from Teckids and disclosed on February 14, 2024. The issue affects all versions of Mastodon prior to versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18, where the system allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same email address (GitHub Advisory).

The vulnerability stems from Mastodon's authentication mechanism where it checks only the email address passed by the external authentication provider to find an existing account when a user logs in for the first time. This implementation flaw could lead to account takeover if the authentication provider allows changing the email address or if multiple authentication providers are configured. The issue has been assigned a CVSS v3.1 base score of 7.4 (HIGH) by NIST and 4.2 (MEDIUM) by GitHub, with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N (NVD).

The vulnerability affects all users logging in through external authentication providers. While the severity is considered medium due to requiring the external authentication provider to misbehave, the impact is significant as some well-known OIDC providers (like Microsoft Azure) make it easy to accidentally allow unverified email changes. Additionally, OpenID Connect's support for dynamic client registration increases the potential attack surface (GitHub Advisory).

The vulnerability has been addressed in Mastodon versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are strongly advised to upgrade to these patched versions as there are no known workarounds for this vulnerability (NVD).