Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-58360

CVE-2024-58360: stoatchat Auth Bypass Vulnerability

CVE-2024-58360 is an authentication bypass vulnerability in stoatchat versions before 0.7.8 that allows attackers to create unlimited accounts bypassing security restrictions. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2024-58360 Overview

CVE-2024-58360 affects stoatchat versions prior to 0.7.8. The application fails to enforce configured account creation restrictions, including invite-only mode, email verification, CAPTCHA challenges, and shield verification. The root cause is a misconfigured Authifier initialization that loads Default::default() instead of the intended runtime configuration.

Attackers can register unlimited accounts using unverified email addresses. This weakens service integrity and enables denial-of-service conditions through resource exhaustion, spam, and abuse of downstream features. The issue is classified under [CWE-1173] Improper Use of Validation Framework.

Critical Impact

Remote, unauthenticated attackers can create unlimited accounts, bypassing invite-only, CAPTCHA, and email verification controls, enabling abuse and denial-of-service against stoatchat deployments.

Affected Products

  • stoatchat versions prior to 0.7.8
  • Deployments relying on Authifier account creation restrictions
  • Self-hosted stoatchat instances with invite-only or CAPTCHA enforcement configured

Discovery Timeline

  • 2026-07-16 - CVE-2024-58360 published to NVD
  • 2026-07-16 - Last updated in NVD database

Technical Details for CVE-2024-58360

Vulnerability Analysis

stoatchat integrates the Authifier authentication library to enforce account creation policies. These policies include invite-only registration, email verification, CAPTCHA validation, and shield verification against abusive signups. The vulnerable build initializes Authifier with a default configuration rather than the operator-supplied configuration.

Because the default configuration disables all restrictions, every enforcement check silently no-ops. The registration endpoint accepts unauthenticated requests and issues accounts without verifying email ownership or invite tokens. This is a business logic and configuration flaw rather than a memory safety issue.

Exploitation requires no privileges, no user interaction, and network access to the registration endpoint. Attackers can script mass account creation to poison the user directory, exhaust storage, and abuse features gated only by account ownership.

Root Cause

In crates/delta/src/main.rs, the Authifier struct was instantiated with config: Default::default(). This overrode the intended call to authifier_config().await, which loads invite mode, CAPTCHA, and verification settings from runtime configuration.

Attack Vector

The attack vector is network-based against the public registration API. An attacker sends repeated POST requests to the account creation endpoint using arbitrary email addresses. No CAPTCHA solve, invite token, or email confirmation is required for the account to become usable.

rust
                 authifier::database::MongoDb(client.database("revolt")),
             ),
         },
-        config: Default::default(),
-        // config: authifier_config().await,
+        config: authifier_config().await,
         event_channel: Some(sender),
     };

Source: GitHub commit eda3643. The patch removes the Default::default() assignment and restores the async call that loads the real configuration from Authifier.

Detection Methods for CVE-2024-58360

Indicators of Compromise

  • Bursts of successful account registrations from a small set of source IPs or ASNs
  • New accounts with syntactically valid but unverifiable or disposable email domains
  • Accounts created without an associated invite token when invite-only mode is expected
  • Sudden growth of the users collection in MongoDB without corresponding email verification records

Detection Strategies

  • Compare the running stoatchat version against 0.7.8 and flag any earlier build as vulnerable
  • Correlate registration API access logs against expected CAPTCHA or invite-token traffic patterns
  • Alert on registration-to-verification ratio anomalies where account creation greatly exceeds verified sessions
  • Review Authifier initialization at process start to confirm authifier_config().await is loaded

Monitoring Recommendations

  • Ingest stoatchat and reverse-proxy access logs into a centralized analytics platform for rate-based analysis
  • Track daily account creation volume and alert on standard deviation spikes
  • Monitor outbound mail queues for verification emails that never receive interaction
  • Watch for repeated registrations sharing device fingerprints, User-Agent strings, or IP ranges

How to Mitigate CVE-2024-58360

Immediate Actions Required

  • Upgrade stoatchat to version 0.7.8 or later, which restores the proper Authifier configuration load
  • Audit existing user accounts created before the upgrade and remove unverified or suspicious registrations
  • Rotate any invite tokens issued under the assumption that invite-only mode was enforced
  • Rate-limit the registration endpoint at the reverse proxy or WAF until the patch is deployed

Patch Information

The fix is delivered in commit eda36436a862bcab92f7ac2cf1c2dd88c41e52a4 and included in stoatchat 0.7.8. Details are published in the GitHub Security Advisory GHSA-f26h-rqjq-qqjq and the VulnCheck advisory.

Workarounds

  • Place the registration endpoint behind an authenticated reverse proxy or SSO gateway until upgrade
  • Enforce network-layer CAPTCHA or bot mitigation in front of stoatchat
  • Temporarily disable public registration and manually provision accounts if patching is delayed
  • Apply strict per-IP and per-subnet rate limits on the account creation route
bash
# Verify installed stoatchat version and upgrade
git -C /opt/stoatchat describe --tags
git -C /opt/stoatchat fetch --tags
git -C /opt/stoatchat checkout v0.7.8
cargo build --release
systemctl restart stoatchat

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.