CVE-2024-25618 is a medium-severity improper authentication vulnerability (CWE-287) affecting Mastodon, an open-source social network server implementing the ActivityPub protocol. The flaw arises from how Mastodon handles user authentication via external providers such as CAS, SAML, and OpenID Connect (OIDC). When a user logs in for the first time through an external authentication provider, Mastodon attempts to link the external identity to an existing local account by matching the e-mail address provided by the authentication provider. However, this process relies solely on the e-mail address without additional verification. If the external authentication provider permits changing the e-mail address associated with an account, or if multiple authentication providers are configured, an attacker can manipulate the e-mail address to hijack an existing Mastodon account. This is because Mastodon trusts the e-mail address asserted by the external provider to identify the user, enabling an attacker who controls or exploits the external provider to gain unauthorized access to the Mastodon account linked to that e-mail. The vulnerability is exacerbated by the fact that some popular OIDC providers, including Microsoft Azure, can allow unverified e-mail changes, increasing the risk of exploitation. Additionally, OpenID Connect's dynamic client registration can complicate secure configurations. The issue affects multiple versions of Mastodon prior to patched releases 4.2.6, 4.1.14, 4.0.14, and 3.5.18. There are no known workarounds, making upgrading essential. The CVSS 3.1 base score is 4.2, reflecting a medium severity with low confidentiality and integrity impact, no availability impact, network attack vector, high attack complexity, no privileges required, and requiring user interaction. No known exploits are currently in the wild, but the vulnerability poses a risk especially where external authentication providers are misconfigured or allow e-mail changes without verification.

For European organizations using Mastodon as a social networking or communication platform, this vulnerability could lead to unauthorized account takeovers if their external authentication providers allow e-mail address changes or if multiple providers are configured insecurely. Such account compromises could result in unauthorized access to sensitive communications, impersonation, and potential reputational damage. Given Mastodon's popularity among privacy-conscious and decentralized social networks, organizations relying on it for internal or community engagement could face disruption or data leakage. The risk is heightened in environments where Microsoft Azure or similar OIDC providers are used without strict e-mail verification policies. Although the vulnerability requires a misbehaving or compromised external authentication provider, the potential for account hijacking undermines trust in federated identity management. This could impact confidentiality and integrity of user accounts and associated data, although availability is not affected. The medium severity suggests that while exploitation is not trivial, the impact on affected accounts can be significant, especially for high-profile or sensitive users within European entities.

The primary mitigation is to upgrade Mastodon installations to versions 4.2.6, 4.1.14, 4.0.14, or 3.5.18 or later, where the vulnerability has been addressed. Organizations should audit and harden their external authentication providers to ensure that e-mail addresses cannot be changed without verification or administrative approval. Specifically, disable or restrict unverified e-mail changes in OIDC providers like Microsoft Azure. Avoid configuring multiple external authentication providers that could conflict or allow identity confusion. Implement additional verification steps in Mastodon for linking external identities, such as requiring proof beyond e-mail matching. Monitor authentication logs for unusual login patterns or changes in linked e-mail addresses. Where possible, use authentication providers that enforce strict identity verification and support multi-factor authentication. Finally, educate users about the risks of account takeover and encourage vigilance regarding authentication notifications.