GHSA-3988-Q8Q7-P787
Vulnerability from github – Published: 2025-04-14 23:00 – Updated: 2025-04-16 00:40Impact
The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanners, and email previewers) may automatically follow these links, unintentionally confirming the account. This allows an attacker to register an account using another user’s email and potentially have it auto-confirmed by the victim’s email client.
This does not allow attackers to take over or access existing accounts or private data. It is limited to account confirmation of new accounts only.
Patches
A mitigation has been released in version 4.7.0. You will also need to upgrade to 2.6.0 or later of ash_authentication_phoenix to take advantage of the autogenerated views for confirmation. The fix updates the confirmation flow to require explicit user interaction (such as clicking a button on the confirmation page) rather than performing the confirmation via a GET request. This ensures that automatic link prefetching or scanning by email clients does not unintentionally confirm accounts.
To mitigate, follow these steps:
- Upgrade
ash_authentication>=4.7.0 - Upgrade
ash_authentication_phoenix>=2.6.0(if usingash_authentication_phoenix) - Set
require_interaction? truein your confirmation strategy. - Add
confirm_routeto your router, if usingash_authentication_phoenixaboveauth_routes.
Setting require_interaction? true
modify your confirmation strategy like so:
confirmation <strategy_name> do
...
require_interaction? true
end
Adding the confirm_route to your router
In order to use this new confirmation flow, you will need to add this to your router to get the desired behavior. It will add a new route to the new confirmation page LiveView. Note the path and token_as_route_param? options, required for keeping backwards compatibility with current defaults. You may need to adjust if you have changed those routes in some way.
IMPORTANT - above auth_routes
Make sure this goes above auth_routes if you are using the path option, and it begins with /auth,
or whatever your configured auth_routes_prefix is. auth_routes greedily handles all routes at the
configured path.
confirm_route(
MyApp.Accounts.User,
<confirmation_strategy_name>,
auth_routes_prefix: "/auth",
overrides: [MyAppWeb.AuthOverrides, AshAuthentication.Phoenix.Overrides.Default],
# use these options to keep your currently issued confirmation emails compatible
# without the options below, the route will default to `/<the_strategy_name>/:token`
path: "/auth/user/<confirmation_strategy_name>",
token_as_route_param?: false
)
Users should upgrade to version 4.7.0 as soon as possible, and set require_interaction? to true in their confirmation strategy. This will change the GET request generated for confirming to a POST request.
If you upgrade to this version and do not set require_interaction? to true, compilation will be fail with a message linking to this advisory. This error can be bypassed if, for example, you are confident that you are not affected.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
You can disable the confirmation routes and create your own live view. We highly advised that you upgrade and take advantage of the builtin views if possible. If you are not using the provided views, you will need to add a confirmation LiveView, that does a POST to the old confirmation url instead of a GET. You would do this by taking the token a parameter out of the link, and adding it as a hidden field to a form. That form would have no inputs, only a button that posts to the confirmation URL. If you are using Liveview, this would be done with phx-trigger-action and phx-action.
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "ash_authentication"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-32782"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-14T23:00:39Z",
"nvd_published_at": "2025-04-15T22:15:28Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nThe confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanners, and email previewers) may automatically follow these links, unintentionally confirming the account. This allows an attacker to register an account using another user\u2019s email and potentially have it auto-confirmed by the victim\u2019s email client.\n\nThis does not allow attackers to take over or access existing accounts or private data. It is limited to account confirmation of new accounts only.\n\n### Patches\nA mitigation has been released in version `4.7.0`. You will also need to upgrade to `2.6.0` or later of `ash_authentication_phoenix` to take advantage of the autogenerated views for confirmation. The fix updates the confirmation flow to require explicit user interaction (such as clicking a button on the confirmation page) rather than performing the confirmation via a GET request. This ensures that automatic link prefetching or scanning by email clients does not unintentionally confirm accounts.\n\nTo mitigate, follow these steps:\n\n1. Upgrade `ash_authentication` \u003e= `4.7.0`\n2. Upgrade `ash_authentication_phoenix` \u003e= `2.6.0` (if using `ash_authentication_phoenix`)\n3. Set `require_interaction? true` in your confirmation strategy.\n4. Add `confirm_route` to your router, if using `ash_authentication_phoenix` *above* `auth_routes`.\n\n#### Setting `require_interaction? true`\n\nmodify your `confirmation` strategy like so:\n\n```elixir\nconfirmation \u003cstrategy_name\u003e do\n ...\n require_interaction? true\nend\n```\n\n#### Adding the `confirm_route` to your router\n\nIn order to use this new confirmation flow, you will need to add this to your router to get the desired behavior. It will add a new route to the new confirmation page LiveView. Note the `path` and `token_as_route_param?` options, required for keeping backwards compatibility with current defaults. You may need to adjust if you have changed those routes in some way.\n\n##### IMPORTANT - above `auth_routes`\n\nMake sure this goes *above* `auth_routes` if you are using the `path` option, and it begins with `/auth`,\nor whatever your configured `auth_routes_prefix` is. `auth_routes` greedily handles all routes at the\nconfigured path.\n\n```elixir\nconfirm_route(\n MyApp.Accounts.User,\n \u003cconfirmation_strategy_name\u003e,\n auth_routes_prefix: \"/auth\",\n overrides: [MyAppWeb.AuthOverrides, AshAuthentication.Phoenix.Overrides.Default],\n # use these options to keep your currently issued confirmation emails compatible\n # without the options below, the route will default to `/\u003cthe_strategy_name\u003e/:token`\n path: \"/auth/user/\u003cconfirmation_strategy_name\u003e\",\n token_as_route_param?: false\n)\n```\n\nUsers should upgrade to version `4.7.0` as soon as possible, and set `require_interaction?` to `true` in their confirmation strategy. This will change the `GET` request generated for confirming to a `POST` request. \n\nIf you upgrade to this version and do not set `require_interaction?` to `true`, compilation will be fail with a message linking to this advisory. This error can be bypassed if, for example, you are confident that you are not affected.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\nYou can disable the confirmation routes and create your own live view. We highly advised that you upgrade and take advantage of the builtin views if possible. If you are not using the provided views, you will need to *add* a confirmation LiveView, that does a `POST` to the old confirmation url instead of a `GET`. You would do this by taking the token a parameter out of the link, and adding it as a hidden field to a form. That form would have no inputs, only a button that posts to the confirmation URL. If you are using Liveview, this would be done with `phx-trigger-action` and `phx-action`.",
"id": "GHSA-3988-q8q7-p787",
"modified": "2025-04-16T00:40:51Z",
"published": "2025-04-14T23:00:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-3988-q8q7-p787"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32782"
},
{
"type": "WEB",
"url": "https://github.com/team-alembic/ash_authentication/commit/99ea38977fd4f421d2aaae0c2fb29f8e5f8f707d"
},
{
"type": "PACKAGE",
"url": "https://github.com/team-alembic/ash_authentication"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "ash_authentication has email link auto-click account confirmation vulnerability"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.