CVE-2024-58360 Overview
CVE-2024-58360 affects stoatchat versions prior to 0.7.8. The application fails to enforce configured account creation restrictions, including invite-only mode, email verification, CAPTCHA challenges, and shield verification. The root cause is a misconfigured Authifier initialization that loads Default::default() instead of the intended runtime configuration.
Attackers can register unlimited accounts using unverified email addresses. This weakens service integrity and enables denial-of-service conditions through resource exhaustion, spam, and abuse of downstream features. The issue is classified under [CWE-1173] Improper Use of Validation Framework.
Critical Impact
Remote, unauthenticated attackers can create unlimited accounts, bypassing invite-only, CAPTCHA, and email verification controls, enabling abuse and denial-of-service against stoatchat deployments.
Affected Products
- stoatchat versions prior to 0.7.8
- Deployments relying on Authifier account creation restrictions
- Self-hosted stoatchat instances with invite-only or CAPTCHA enforcement configured
Discovery Timeline
- 2026-07-16 - CVE-2024-58360 published to NVD
- 2026-07-16 - Last updated in NVD database
Technical Details for CVE-2024-58360
Vulnerability Analysis
stoatchat integrates the Authifier authentication library to enforce account creation policies. These policies include invite-only registration, email verification, CAPTCHA validation, and shield verification against abusive signups. The vulnerable build initializes Authifier with a default configuration rather than the operator-supplied configuration.
Because the default configuration disables all restrictions, every enforcement check silently no-ops. The registration endpoint accepts unauthenticated requests and issues accounts without verifying email ownership or invite tokens. This is a business logic and configuration flaw rather than a memory safety issue.
Exploitation requires no privileges, no user interaction, and network access to the registration endpoint. Attackers can script mass account creation to poison the user directory, exhaust storage, and abuse features gated only by account ownership.
Root Cause
In crates/delta/src/main.rs, the Authifier struct was instantiated with config: Default::default(). This overrode the intended call to authifier_config().await, which loads invite mode, CAPTCHA, and verification settings from runtime configuration.
Attack Vector
The attack vector is network-based against the public registration API. An attacker sends repeated POST requests to the account creation endpoint using arbitrary email addresses. No CAPTCHA solve, invite token, or email confirmation is required for the account to become usable.
authifier::database::MongoDb(client.database("revolt")),
),
},
- config: Default::default(),
- // config: authifier_config().await,
+ config: authifier_config().await,
event_channel: Some(sender),
};
Source: GitHub commit eda3643. The patch removes the Default::default() assignment and restores the async call that loads the real configuration from Authifier.
Detection Methods for CVE-2024-58360
Indicators of Compromise
- Bursts of successful account registrations from a small set of source IPs or ASNs
- New accounts with syntactically valid but unverifiable or disposable email domains
- Accounts created without an associated invite token when invite-only mode is expected
- Sudden growth of the users collection in MongoDB without corresponding email verification records
Detection Strategies
- Compare the running stoatchat version against 0.7.8 and flag any earlier build as vulnerable
- Correlate registration API access logs against expected CAPTCHA or invite-token traffic patterns
- Alert on registration-to-verification ratio anomalies where account creation greatly exceeds verified sessions
- Review Authifier initialization at process start to confirm authifier_config().await is loaded
Monitoring Recommendations
- Ingest stoatchat and reverse-proxy access logs into a centralized analytics platform for rate-based analysis
- Track daily account creation volume and alert on standard deviation spikes
- Monitor outbound mail queues for verification emails that never receive interaction
- Watch for repeated registrations sharing device fingerprints, User-Agent strings, or IP ranges
How to Mitigate CVE-2024-58360
Immediate Actions Required
- Upgrade stoatchat to version 0.7.8 or later, which restores the proper Authifier configuration load
- Audit existing user accounts created before the upgrade and remove unverified or suspicious registrations
- Rotate any invite tokens issued under the assumption that invite-only mode was enforced
- Rate-limit the registration endpoint at the reverse proxy or WAF until the patch is deployed
Patch Information
The fix is delivered in commit eda36436a862bcab92f7ac2cf1c2dd88c41e52a4 and included in stoatchat 0.7.8. Details are published in the GitHub Security Advisory GHSA-f26h-rqjq-qqjq and the VulnCheck advisory.
Workarounds
- Place the registration endpoint behind an authenticated reverse proxy or SSO gateway until upgrade
- Enforce network-layer CAPTCHA or bot mitigation in front of stoatchat
- Temporarily disable public registration and manually provision accounts if patching is delayed
- Apply strict per-IP and per-subnet rate limits on the account creation route
# Verify installed stoatchat version and upgrade
git -C /opt/stoatchat describe --tags
git -C /opt/stoatchat fetch --tags
git -C /opt/stoatchat checkout v0.7.8
cargo build --release
systemctl restart stoatchat
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

