VYPR
← All advisories
Medium severity4.2NVD Advisory· Published Mar 16, 2025· Updated Apr 15, 2026

CVE-2025-24856

CVE-2025-24856

Description

An issue was discovered in the oidc (aka OpenID Connect Authentication) extension before 4.0.0 for TYPO3. The account linking logic allows a pre-hijacking attack, leading to Account Takeover. The attack can only be exploited if the following requirements are met: (1) an attacker can anticipate the e-mail address of the user, (2) an attacker can register a public frontend user account using that e-mail address before the user's first OIDC login, and (3) the IDP returns an email field containing the e-mail address of the user,

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
causal/oidcPackagist
>= 3.0.0, < 4.0.04.0.0

Patches

2
877e09f6faf4

[!!!][SECURITY] Do not look up existing users via username field

https://github.com/xperseguers/t3ext-oidcMarkus KleinJan 23, 2025via ghsa
commit
2 files changed · +5 4
  • CHANGELOG.md+4 0 modified
    @@ -2,6 +2,10 @@
 
 ## Version 4.x.x
 
+- Breaking: Existing fe_users are not looked up by their username anymore.
+  You may use the `AuthenticationFetchUserEvent` to re-add this functionality,
+  if this is secure for your use case.
+  See commit `[!!!][SECURITY] Do not look up existing users via username field` for details.
 - Breaking: Upon login the user's username and email address will now be updated
   according to the mapping configuration. The default mapping configuration maps
   the username, but not the email address. Custom mapping configurations can now
  • Classes/Service/AuthenticationService.php+1 4 modified
    @@ -325,10 +325,7 @@ protected function convertResourceOwner(array $info): bool|array
                 GeneralUtility::intExplode(',', $this->config['usersStoragePid']),
                 Connection::PARAM_INT_ARRAY
             )),
-            $queryBuilder->expr()->or(
-                $queryBuilder->expr()->eq('tx_oidc', $queryBuilder->createNamedParameter($info['sub'])),
-                $queryBuilder->expr()->eq('username', $queryBuilder->createNamedParameter($info['email']))
-            )
+            $queryBuilder->expr()->eq('tx_oidc', $queryBuilder->createNamedParameter($info['sub'])),
         ];
 
         $event = new AuthenticationFetchUserEvent($info, $userFetchConditions, $queryBuilder, $this);
cbba4d16fcc0
https://github.com/xperseguers/t3ext-oidcvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.