AIKIDO-2025-10026
github.com/juanfont/headscale is vulnerable to Authorization Bypass
98
Critical Risk
This Affects:
github.com/juanfont/headscaleTL;DR
In Headscale version 0.23.0 and earlier, OIDC user identification relies on either the "username" part of an email address (when strip_email_domain is true, the default) or the full email address (when strip_email_domain is false). This approach has the following issues: 1. Account Takeover Risk: A malicious user with an Identity Provider (IdP) account can exploit the use of the email claim to take over another user's Headscale account, even if strip_email_domain is set to false. 2. Account Access Loss: If a legitimate user changes their email address, they lose access to their Headscale account due to the reliance on the email claim. These vulnerabilities are addressed in Headscale version 0.24.0, which identifies OIDC users by the iss and sub claims. These claims are stable and unique as per the OIDC specification, ensuring account integrity and persistence even if a user's email address changes.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
github.com/juanfont/headscale is vulnerable to Authorization Bypass in versions 0.1.0 - 0.23.0.
How to fix this
Upgrade the github.com/juanfont/headscale library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant