CVE-2025-24856: TYPO3-EXT-SA-2025-001: Account Takeover in extension "OpenID Connect Authentication" (oidc)

January 28, 2025

Problem Description

A vulnerability in the account linking logic of the extension allows a pre-hijacking attack leading to Account Takeover. The attack can only be exploited if the following requirements are met:

An attacker can anticipate the email address of the user.
An attacker can register a public frontend user account using that email address before the user’s first OIDC login.
The IDP returns the field email containing the email address of the user

Solution

An updated versions 4.0.0 is available from the TYPO3 extension manager, packagist and at https://extensions.typo3.org/extension/download/oidc/4.0.0/zip

Users of the extension are advised to update the extension as soon as possible.

References

Detect and mitigate CVE-2025-24856 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →