CVE-2025-24856
📋 TL;DR
This vulnerability in TYPO3's OpenID Connect extension allows account takeover through pre-hijacking attacks. Attackers can link their own accounts to victim email addresses before victims perform their first OIDC login, gaining unauthorized access. Only TYPO3 installations using the vulnerable oidc extension versions are affected.
💻 Affected Systems
- TYPO3 oidc (OpenID Connect Authentication) extension
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of any user account where the attacker can predict the email address and register first, leading to unauthorized access, data exposure, and potential privilege escalation.
Likely Case
Targeted attacks against specific high-value users where attackers can predict email addresses, resulting in unauthorized account access and potential data compromise.
If Mitigated
Limited impact due to the specific requirements (predictable email, registration timing, IDP configuration) making exploitation difficult without insider knowledge.
🎯 Exploit Status
Exploitation requires multiple conditions: predicting victim email, registering account before victim's first OIDC login, and IDP returning email field. This makes automated exploitation challenging.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.0
Vendor Advisory: https://typo3.org/security/advisory/typo3-ext-sa-2025-001
Restart Required: No
Instructions:
1. Update the oidc extension to version 4.0.0 or later via TYPO3 Extension Manager. 2. Clear all caches. 3. Verify the update was successful by checking the extension version.
🔧 Temporary Workarounds
Disable OIDC Authentication
allTemporarily disable OpenID Connect authentication until patching is possible
Disable the oidc extension in TYPO3 Extension Manager
Require Email Verification
allImplement additional email verification for new user registrations
Configure TYPO3 to require email confirmation for new user accounts
🧯 If You Can't Patch
- Monitor user registration logs for suspicious patterns of email address registration
- Implement rate limiting on user registration to prevent bulk registration attempts
🔍 How to Verify
Check if Vulnerable:
Check the oidc extension version in TYPO3 Extension Manager. If version is below 4.0.0, the system is vulnerable.Check Version:
Check via TYPO3 backend: Extensions → Manage Extensions → Search for 'oidc'Verify Fix Applied:
Verify the oidc extension shows version 4.0.0 or higher in TYPO3 Extension Manager.📡 Detection & Monitoring
Log Indicators:
- Multiple user registrations with similar email patterns
- Failed OIDC login attempts followed by successful logins from different IPs
- User account modifications shortly after registration
Network Indicators:
- Unusual patterns of registration requests to user creation endpoints
SIEM Query:
source="typo3_logs" AND (event="user_registration" OR event="oidc_login") | stats count by user_email, src_ip