CVE-2024-52289
📋 TL;DR
This vulnerability allows attackers to bypass OAuth2 redirect URI validation in authentik by exploiting improper regex escaping. Attackers can register malicious domains that match the regex pattern of legitimate redirect URIs, potentially leading to authorization code interception. All authentik instances with OAuth2 providers configured are affected.
💻 Affected Systems
- authentik
📦 What is this software?
Authentik by Goauthentik
Authentik by Goauthentik
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover via OAuth authorization code interception, leading to unauthorized access to connected applications and potential data exfiltration.
Likely Case
Attackers redirect OAuth authorization codes to domains they control, enabling them to steal access tokens and impersonate legitimate users.
If Mitigated
With proper input validation and regex escaping, the vulnerability is prevented, maintaining secure OAuth2 flow.
🎯 Exploit Status
Exploitation requires attacker to register a domain that matches the regex pattern of a legitimate redirect URI. Public proof-of-concept demonstrates the bypass technique.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.8.5 or 2024.10.3
Vendor Advisory: https://github.com/goauthentik/authentik/security/advisories/GHSA-3q5w-6m3x-64gj
Restart Required: Yes
Instructions:
1. Update authentik to version 2024.8.5 or 2024.10.3. 2. Restart the authentik service. 3. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Manual Regex Escaping
allEscape special regex characters in redirect URIs when configuring OAuth2 providers
🧯 If You Can't Patch
- Review and validate all OAuth2 provider redirect URIs, ensuring they use proper regex escaping for special characters
- Implement additional validation layer for redirect URIs at the application level
🔍 How to Verify
Check if Vulnerable:
Check if authentik version is below 2024.8.5 and 2024.10.3, and review OAuth2 provider configurations for unescaped regex characters in redirect URIs.Check Version:
Check authentik admin interface or run: docker exec authentik authentik versionVerify Fix Applied:
Confirm authentik version is 2024.8.5 or 2024.10.3, and test OAuth2 redirect URI validation with malicious patterns.📡 Detection & Monitoring
Log Indicators:
- Unusual redirect URI patterns in OAuth2 authorization logs
- Authorization requests to domains with similar patterns to legitimate redirect URIs
Network Indicators:
- OAuth2 authorization redirects to unexpected domains
- Traffic to domains with names similar to legitimate services
SIEM Query:
source="authentik" AND (event="oauth2_authorization" OR event="redirect_uri_validation") AND uri="*.*"🔗 References
- https://github.com/goauthentik/authentik/commit/85bb638243c8d7ea42ddd3b15b3f51a90d2b8c54
- https://github.com/goauthentik/authentik/security/advisories/GHSA-3q5w-6m3x-64gj
- https://www.vicarius.io/vsociety/posts/cve-2024-52289-detect-authentik-vulnerability
- https://www.vicarius.io/vsociety/posts/cve-2024-52289-mitigate-authentik-vulnerability
