CVE-2025-24856: 
PHP vulnerability analysis and mitigation

An issue was discovered in the oidc (aka OpenID Connect Authentication) extension before version 4.0.0 for TYPO3. The vulnerability was identified on January 28, 2025, and assigned CVE-2025-24856. The vulnerability affects the account linking logic of the extension, which allows for a pre-hijacking attack that could lead to Account Takeover (TYPO3 Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 4.2 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N. The issue is related to CWE-348 (Use of Less Trusted Source) and involves the account linking logic that incorrectly looks up existing users via the username field, potentially allowing for account pre-hijacking attacks (NVD, TYPO3 Advisory).

The vulnerability could lead to Account Takeover if successfully exploited. The attack can only be executed if specific conditions are met: the attacker must be able to anticipate the email address of the user, register a public frontend user account using that email address before the user's first OIDC login, and the IDP must return an email field containing the email address of the user (TYPO3 Advisory).

The vulnerability has been fixed in version 4.0.0 of the extension. The fix removes the lookup of existing feusers based on their username field and identifies existing feuser records only by their tx_oidc value. Users are advised to update to version 4.0.0 as soon as possible. For those who need to maintain username-based lookup functionality, it can be implemented using the AuthenticationFetchUserEvent, but careful consideration must be given to security implications (GitHub Commit, TYPO3 Advisory).