GHSA-3988-q8q7-p787
MEDIUMash_authentication has email link auto-click account confirmation vulnerability
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
ash_authenticationReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Hex packages — download data is not available via public APIs for these ecosystems.
Description
Impact
The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanners, and email previewers) may automatically follow these links, unintentionally confirming the account. This allows an attacker to register an account using another user’s email and potentially have it auto-confirmed by the victim’s email client.
This does not allow attackers to take over or access existing accounts or private data. It is limited to account confirmation of new accounts only.
Patches
A mitigation has been released in version 4.7.0. You will also need to upgrade to 2.6.0 or later of ash_authentication_phoenix to take advantage of the autogenerated views for confirmation. The fix updates the confirmation flow to require explicit user interaction (such as clicking a button on the confirmation page) rather than performing the confirmation via a GET request. This ensures that automatic link prefetching or scanning by email clients does not unintentionally confirm accounts.
To mitigate, follow these steps:
- Upgrade
ash_authentication>=4.7.0 - Upgrade
ash_authentication_phoenix>=2.6.0(if usingash_authentication_phoenix) - Set
require_interaction? truein your confirmation strategy. - Add
confirm_routeto your router, if usingash_authentication_phoenixaboveauth_routes.
Setting require_interaction? true
modify your confirmation strategy like so:
confirmation <strategy_name> do
...
require_interaction? true
end
Adding the confirm_route to your router
In order to use this new confirmation flow, you will need to add this to your router to get the desired behavior. It will add a new route to the new confirmation page LiveView. Note the path and token_as_route_param? options, required for keeping backwards compatibility with current defaults. You may need to adjust if you have changed those routes in some way.
IMPORTANT - above auth_routes
Make sure this goes above auth_routes if you are using the path option, and it begins with /auth,
or whatever your configured auth_routes_prefix is. auth_routes greedily handles all routes at the
configured path.
confirm_route(
MyApp.Accounts.User,
<confirmation_strategy_name>,
auth_routes_prefix: "/auth",
overrides: [MyAppWeb.AuthOverrides, AshAuthentication.Phoenix.Overrides.Default],
# use these options to keep your currently issued confirmation emails compatible
# without the options below, the route will default to `/<the_strategy_name>/:token`
path: "/auth/user/<confirmation_strategy_name>",
token_as_route_param?: false
)
Users should upgrade to version 4.7.0 as soon as possible, and set require_interaction? to true in their confirmation strategy. This will change the GET request generated for confirming to a POST request.
If you upgrade to this version and do not set require_interaction? to true, compilation will be fail with a message linking to this advisory. This error can be bypassed if, for example, you are confident that you are not affected.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
You can disable the confirmation routes and create your own live view. We highly advised that you upgrade and take advantage of the builtin views if possible. If you are not using the provided views, you will need to add a confirmation LiveView, that does a POST to the old confirmation url instead of a GET. You would do this by taking the token a parameter out of the link, and adding it as a hidden field to a form. That form would have no inputs, only a button that posts to the confirmation URL. If you are using Liveview, this would be done with phx-trigger-action and phx-action.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 💧Hex | ash_authentication | all versions | 4.7.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for ash_authentication. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update ash_authentication to 4.7.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-3988-q8q7-p787 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-3988-q8q7-p787 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-3988-q8q7-p787. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-3988-q8q7-p787 in your dependencies?
O3 detects GHSA-3988-q8q7-p787 across Hex dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.