CVE-2025-32782
ash_authentication has email link auto-click account confirmation vulnerability
描述
### Impact The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanners, and email previewers) may automatically follow these links, unintentionally confirming the account. This allows an attacker to register an account using another user’s email and potentially have it auto-confirmed by the victim’s email client. This does not allow attackers to take over or access existing accounts or private data. It is limited to account confirmation of new accounts only. ### Patches A mitigation has been released in version `4.7.0`. You will also need to upgrade to `2.6.0` or later of `ash_authentication_phoenix` to take advantage of the autogenerated views for confirmation. The fix updates the confirmation flow to require explicit user interaction (such as clicking a button on the confirmation page) rather than performing the confirmation via a GET request. This ensures that automatic link prefetching or scanning by email clients does not unintentionally confirm accounts. To mitigate, follow these steps: 1. Upgrade `ash_authentication` >= `4.7.0` 2. Upgrade `ash_authentication_phoenix` >= `2.6.0` (if using `ash_authentication_phoenix`) 3. Set `require_interaction? true` in your confirmation strategy. 4. Add `confirm_route` to your router, if using `ash_authentication_phoenix` *above* `auth_routes`. #### Setting `require_interaction? true` modify your `confirmation` strategy like so: ```elixir confirmation <strategy_name> do ... require_interaction? true end ``` #### Adding the `confirm_route` to your router In order to use this new confirmation flow, you will need to add this to your router to get the desired behavior. It will add a new route to the new confirmation page LiveView. Note the `path` and `token_as_route_param?` options, required for keeping backwards compatibility with current defaults. You may need to adjust if you have changed those routes in some way. ##### IMPORTANT - above `auth_routes` Make sure this goes *above* `auth_routes` if you are using the `path` option, and it begins with `/auth`, or whatever your configured `auth_routes_prefix` is. `auth_routes` greedily handles all routes at the configured path. ```elixir confirm_route( MyApp.Accounts.User, <confirmation_strategy_name>, auth_routes_prefix: "/auth", overrides: [MyAppWeb.AuthOverrides, AshAuthentication.Phoenix.Overrides.Default], # use these options to keep your currently issued confirmation emails compatible # without the options below, the route will default to `/<the_strategy_name>/:token` path: "/auth/user/<confirmation_strategy_name>", token_as_route_param?: false ) ``` Users should upgrade to version `4.7.0` as soon as possible, and set `require_interaction?` to `true` in their confirmation strategy. This will change the `GET` request generated for confirming to a `POST` request. If you upgrade to this version and do not set `require_interaction?` to `true`, compilation will be fail with a message linking to this advisory. This error can be bypassed if, for example, you are confident that you are not affected. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ You can disable the confirmation routes and create your own live view. We highly advised that you upgrade and take advantage of the builtin views if possible. If you are not using the provided views, you will need to *add* a confirmation LiveView, that does a `POST` to the old confirmation url instead of a `GET`. You would do this by taking the token a parameter out of the link, and adding it as a hidden field to a form. That form would have no inputs, only a button that posts to the confirmation URL. If you are using Liveview, this would be done with `phx-trigger-action` and `phx-action`.