CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32782 – Ash Authentication email link auto-click account confirmation vulnerability
https://notcve.org/view.php?id=CVE-2025-32782
15 Apr 2025 — Ash Authentication provides authentication for the Ash framework. The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanners, and email previewers) may automatically follow these links, unintentionally confirming the account. This allows an attacker to register an account using another user’s email and potentially have it auto-confirmed by the victim’s email client. This does not al... • https://github.com/team-alembic/ash_authentication/commit/99ea38977fd4f421d2aaae0c2fb29f8e5f8f707d • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-25202 – Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install`
https://notcve.org/view.php?id=CVE-2025-25202
11 Feb 2025 — Ash Authentication is an authentication framework for Elixir applications. Applications which have been bootstrapped by the igniter installer present since AshAuthentication v4.1.0 and who have used the magic link strategy _or_ are manually revoking tokens are affected by revoked tokens being allowed to verify as valid. Unless one hase implemented any kind of custom token revocation feature in your application, then one will not be affected. The impact here for users using builtin functionality is that magi... • https://github.com/team-alembic/ash_authentication/commit/2dee55252df26fe3d990ff1199397cdcf1bfea8a • CWE-269: Improper Privilege Management •