cvelistv5 - cve-2025-32782

CVE-2025-32782 (GCVE-0-2025-32782)

Vulnerability from cvelistv5

Published

2025-04-15 22:04

Modified

2025-04-16 15:36

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-306 - Missing Authentication for Critical Function

Summary

Ash Authentication provides authentication for the Ash framework. The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanners, and email previewers) may automatically follow these links, unintentionally confirming the account. This allows an attacker to register an account using another user’s email and potentially have it auto-confirmed by the victim’s email client. This does not allow attackers to take over or access existing accounts or private data. It is limited to account confirmation of new accounts only. This vulnerability is fixed in 4.7.0.

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/team-alembic/ash_authentication/commit/99ea38977fd4f421d2aaae0c2fb29f8e5f8f707d
	security-advisories@github.com	https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-3988-q8q7-p787

Impacted products

	Vendor	Product	Version
	team-alembic	ash_authentication	Version: < 4.7.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-32782",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-16T14:07:20.590187Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-16T15:36:23.539Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ash_authentication",
          "vendor": "team-alembic",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.7.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Ash Authentication provides authentication for the Ash framework. The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanners, and email previewers) may automatically follow these links, unintentionally confirming the account. This allows an attacker to register an account using another user\u2019s email and potentially have it auto-confirmed by the victim\u2019s email client. This does not allow attackers to take over or access existing accounts or private data. It is limited to account confirmation of new accounts only. This vulnerability is fixed in 4.7.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-15T22:04:41.667Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-3988-q8q7-p787",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-3988-q8q7-p787"
        },
        {
          "name": "https://github.com/team-alembic/ash_authentication/commit/99ea38977fd4f421d2aaae0c2fb29f8e5f8f707d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/team-alembic/ash_authentication/commit/99ea38977fd4f421d2aaae0c2fb29f8e5f8f707d"
        }
      ],
      "source": {
        "advisory": "GHSA-3988-q8q7-p787",
        "discovery": "UNKNOWN"
      },
      "title": "Ash Authentication email link auto-click account confirmation vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-32782",
    "datePublished": "2025-04-15T22:04:41.667Z",
    "dateReserved": "2025-04-10T12:51:12.279Z",
    "dateUpdated": "2025-04-16T15:36:23.539Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-32782\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-04-15T22:15:28.027\",\"lastModified\":\"2025-04-16T13:25:37.340\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Ash Authentication provides authentication for the Ash framework. The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanners, and email previewers) may automatically follow these links, unintentionally confirming the account. This allows an attacker to register an account using another user\u2019s email and potentially have it auto-confirmed by the victim\u2019s email client. This does not allow attackers to take over or access existing accounts or private data. It is limited to account confirmation of new accounts only. This vulnerability is fixed in 4.7.0.\"},{\"lang\":\"es\",\"value\":\"La autenticaci\u00f3n de Ash proporciona autenticaci\u00f3n para el framework Ash. El flujo de confirmaci\u00f3n para la creaci\u00f3n de cuentas utiliza actualmente una solicitud GET que se activa al hacer clic en un enlace enviado por correo electr\u00f3nico. Algunos clientes de correo electr\u00f3nico y herramientas de seguridad (por ejemplo, Outlook, antivirus y previsualizadores de correo electr\u00f3nico) pueden seguir autom\u00e1ticamente estos enlaces, confirmando la cuenta sin querer. Esto permite a un atacante registrar una cuenta con el correo electr\u00f3nico de otro usuario y, potencialmente, que el cliente de correo electr\u00f3nico de la v\u00edctima la confirme autom\u00e1ticamente. Esto no permite a los atacantes tomar el control ni acceder a cuentas existentes ni a datos privados. Se limita \u00fanicamente a la confirmaci\u00f3n de cuentas nuevas. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 4.7.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"references\":[{\"url\":\"https://github.com/team-alembic/ash_authentication/commit/99ea38977fd4f421d2aaae0c2fb29f8e5f8f707d\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-3988-q8q7-p787\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Ash Authentication email link auto-click account confirmation vulnerability\", \"source\": {\"advisory\": \"GHSA-3988-q8q7-p787\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"team-alembic\", \"product\": \"ash_authentication\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.7.0\"}]}], \"references\": [{\"url\": \"https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-3988-q8q7-p787\", \"name\": \"https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-3988-q8q7-p787\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/team-alembic/ash_authentication/commit/99ea38977fd4f421d2aaae0c2fb29f8e5f8f707d\", \"name\": \"https://github.com/team-alembic/ash_authentication/commit/99ea38977fd4f421d2aaae0c2fb29f8e5f8f707d\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Ash Authentication provides authentication for the Ash framework. The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanners, and email previewers) may automatically follow these links, unintentionally confirming the account. This allows an attacker to register an account using another user\\u2019s email and potentially have it auto-confirmed by the victim\\u2019s email client. This does not allow attackers to take over or access existing accounts or private data. It is limited to account confirmation of new accounts only. This vulnerability is fixed in 4.7.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306: Missing Authentication for Critical Function\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-04-15T22:04:41.667Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-32782\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-16T14:07:20.590187Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2025-04-16T14:07:30.362Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-32782\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-15T22:04:41.667Z\", \"dateReserved\": \"2025-04-10T12:51:12.279Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-04-15T22:04:41.667Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2025-32782

Vulnerability from fkie_nvd

Published

2025-04-15 22:15

Modified

2025-04-16 13:25

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Summary

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/team-alembic/ash_authentication/commit/99ea38977fd4f421d2aaae0c2fb29f8e5f8f707d
	security-advisories@github.com	https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-3988-q8q7-p787

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Ash Authentication provides authentication for the Ash framework. The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanners, and email previewers) may automatically follow these links, unintentionally confirming the account. This allows an attacker to register an account using another user\u2019s email and potentially have it auto-confirmed by the victim\u2019s email client. This does not allow attackers to take over or access existing accounts or private data. It is limited to account confirmation of new accounts only. This vulnerability is fixed in 4.7.0."
    },
    {
      "lang": "es",
      "value": "La autenticaci\u00f3n de Ash proporciona autenticaci\u00f3n para el framework Ash. El flujo de confirmaci\u00f3n para la creaci\u00f3n de cuentas utiliza actualmente una solicitud GET que se activa al hacer clic en un enlace enviado por correo electr\u00f3nico. Algunos clientes de correo electr\u00f3nico y herramientas de seguridad (por ejemplo, Outlook, antivirus y previsualizadores de correo electr\u00f3nico) pueden seguir autom\u00e1ticamente estos enlaces, confirmando la cuenta sin querer. Esto permite a un atacante registrar una cuenta con el correo electr\u00f3nico de otro usuario y, potencialmente, que el cliente de correo electr\u00f3nico de la v\u00edctima la confirme autom\u00e1ticamente. Esto no permite a los atacantes tomar el control ni acceder a cuentas existentes ni a datos privados. Se limita \u00fanicamente a la confirmaci\u00f3n de cuentas nuevas. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 4.7.0."
    }
  ],
  "id": "CVE-2025-32782",
  "lastModified": "2025-04-16T13:25:37.340",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-04-15T22:15:28.027",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/team-alembic/ash_authentication/commit/99ea38977fd4f421d2aaae0c2fb29f8e5f8f707d"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-3988-q8q7-p787"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

ghsa-3988-q8q7-p787

Vulnerability from github

Published

2025-04-14 23:00

Modified

2025-04-16 00:40

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Summary

ash_authentication has email link auto-click account confirmation vulnerability

Details

Impact

The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanners, and email previewers) may automatically follow these links, unintentionally confirming the account. This allows an attacker to register an account using another user’s email and potentially have it auto-confirmed by the victim’s email client.

This does not allow attackers to take over or access existing accounts or private data. It is limited to account confirmation of new accounts only.

Patches

A mitigation has been released in version 4.7.0. You will also need to upgrade to 2.6.0 or later of ash_authentication_phoenix to take advantage of the autogenerated views for confirmation. The fix updates the confirmation flow to require explicit user interaction (such as clicking a button on the confirmation page) rather than performing the confirmation via a GET request. This ensures that automatic link prefetching or scanning by email clients does not unintentionally confirm accounts.

To mitigate, follow these steps:

Upgrade ash_authentication >= 4.7.0
Upgrade ash_authentication_phoenix >= 2.6.0 (if using ash_authentication_phoenix)
Set require_interaction? true in your confirmation strategy.
Add confirm_route to your router, if using ash_authentication_phoenix above auth_routes.

Setting `require_interaction? true`

modify your confirmation strategy like so:

elixir confirmation <strategy_name> do ... require_interaction? true end

Adding the `confirm_route` to your router

In order to use this new confirmation flow, you will need to add this to your router to get the desired behavior. It will add a new route to the new confirmation page LiveView. Note the path and token_as_route_param? options, required for keeping backwards compatibility with current defaults. You may need to adjust if you have changed those routes in some way.

IMPORTANT - above `auth_routes`

Make sure this goes above auth_routes if you are using the path option, and it begins with /auth, or whatever your configured auth_routes_prefix is. auth_routes greedily handles all routes at the configured path.

elixir confirm_route( MyApp.Accounts.User, <confirmation_strategy_name>, auth_routes_prefix: "/auth", overrides: [MyAppWeb.AuthOverrides, AshAuthentication.Phoenix.Overrides.Default], # use these options to keep your currently issued confirmation emails compatible # without the options below, the route will default to `/<the_strategy_name>/:token` path: "/auth/user/<confirmation_strategy_name>", token_as_route_param?: false )

Users should upgrade to version 4.7.0 as soon as possible, and set require_interaction? to true in their confirmation strategy. This will change the GET request generated for confirming to a POST request.

If you upgrade to this version and do not set require_interaction? to true, compilation will be fail with a message linking to this advisory. This error can be bypassed if, for example, you are confident that you are not affected.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading? You can disable the confirmation routes and create your own live view. We highly advised that you upgrade and take advantage of the builtin views if possible. If you are not using the provided views, you will need to add a confirmation LiveView, that does a POST to the old confirmation url instead of a GET. You would do this by taking the token a parameter out of the link, and adding it as a hidden field to a form. That form would have no inputs, only a button that posts to the confirmation URL. If you are using Liveview, this would be done with phx-trigger-action and phx-action.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "ash_authentication"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-32782"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-14T23:00:39Z",
    "nvd_published_at": "2025-04-15T22:15:28Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanners, and email previewers) may automatically follow these links, unintentionally confirming the account. This allows an attacker to register an account using another user\u2019s email and potentially have it auto-confirmed by the victim\u2019s email client.\n\nThis does not allow attackers to take over or access existing accounts or private data. It is limited to account confirmation of new accounts only.\n\n### Patches\nA mitigation has been released in version `4.7.0`. You will also need to upgrade to `2.6.0` or later of `ash_authentication_phoenix` to take advantage of the autogenerated views for confirmation. The fix updates the confirmation flow to require explicit user interaction (such as clicking a button on the confirmation page) rather than performing the confirmation via a GET request. This ensures that automatic link prefetching or scanning by email clients does not unintentionally confirm accounts.\n\nTo mitigate, follow these steps:\n\n1. Upgrade `ash_authentication` \u003e= `4.7.0`\n2. Upgrade `ash_authentication_phoenix` \u003e= `2.6.0` (if using `ash_authentication_phoenix`)\n3. Set `require_interaction? true` in your confirmation strategy.\n4. Add `confirm_route` to your router, if using `ash_authentication_phoenix` *above* `auth_routes`.\n\n#### Setting `require_interaction? true`\n\nmodify your `confirmation` strategy like so:\n\n```elixir\nconfirmation \u003cstrategy_name\u003e do\n  ...\n  require_interaction? true\nend\n```\n\n#### Adding the `confirm_route` to your router\n\nIn order to use this new confirmation flow, you will need to add this to your router to get the desired behavior. It will add a new route to the new confirmation page LiveView. Note the `path` and `token_as_route_param?` options, required for keeping backwards compatibility with current defaults. You may need to adjust if you have changed those routes in some way.\n\n##### IMPORTANT - above `auth_routes`\n\nMake sure this goes *above* `auth_routes` if you are using the `path` option, and it begins with `/auth`,\nor whatever your configured `auth_routes_prefix` is. `auth_routes` greedily handles all routes at the\nconfigured path.\n\n```elixir\nconfirm_route(\n  MyApp.Accounts.User,\n  \u003cconfirmation_strategy_name\u003e,\n  auth_routes_prefix: \"/auth\",\n  overrides: [MyAppWeb.AuthOverrides, AshAuthentication.Phoenix.Overrides.Default],\n  # use these options to keep your currently issued confirmation emails compatible\n  # without the options below, the route will default to `/\u003cthe_strategy_name\u003e/:token`\n  path: \"/auth/user/\u003cconfirmation_strategy_name\u003e\",\n  token_as_route_param?: false\n)\n```\n\nUsers should upgrade to version `4.7.0` as soon as possible, and set `require_interaction?` to `true` in their confirmation strategy. This will change the `GET` request generated for confirming to a `POST` request. \n\nIf you upgrade to this version and do not set `require_interaction?` to `true`, compilation will be fail with a message linking to this advisory. This error can be bypassed if, for example, you are confident that you are not affected.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\nYou can disable the confirmation routes and create your own live view. We highly advised that you upgrade and take advantage of the builtin views if possible. If you are not using the provided views, you will need to *add* a confirmation LiveView, that does a `POST` to the old confirmation url instead of a `GET`. You would do this by taking the token a parameter out of the link, and adding it as a hidden field to a form. That form would have no inputs, only a button that posts to the confirmation URL. If you are using Liveview, this would be done with `phx-trigger-action` and `phx-action`.",
  "id": "GHSA-3988-q8q7-p787",
  "modified": "2025-04-16T00:40:51Z",
  "published": "2025-04-14T23:00:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-3988-q8q7-p787"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32782"
    },
    {
      "type": "WEB",
      "url": "https://github.com/team-alembic/ash_authentication/commit/99ea38977fd4f421d2aaae0c2fb29f8e5f8f707d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/team-alembic/ash_authentication"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ash_authentication has email link auto-click account confirmation vulnerability"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-32782 (GCVE-0-2025-32782)

Vulnerability from cvelistv5

fkie_cve-2025-32782

Vulnerability from fkie_nvd

ghsa-3988-q8q7-p787

Vulnerability from github

Impact

Patches

Setting require_interaction? true

Adding the confirm_route to your router

IMPORTANT - above auth_routes

Workarounds

Tags

Sightings

Nomenclature

Setting `require_interaction? true`

Adding the `confirm_route` to your router

IMPORTANT - above `auth_routes`