GHSA-F7GQ-H8JV-H3CQ
Vulnerability from github – Published: 2025-06-17 14:20 – Updated: 2025-06-17 19:56
VLAI?
Summary
ash_authentication_phoenix has Insufficient Session Expiration
Details
Impact
Session tokens remain valid on the server after user logout, creating a security gap where:
- Compromised tokens (via XSS, network interception, or device theft) continue to work even after the user logs out
- The sessions stored in the database still expire, limiting the duration during which this could be exploited
- Users cannot fully invalidate their sessions when logging out from shared or potentially compromised devices
- by default, changing one's password does invalidate all other sessions, so changing your password as a security measure would have been effective
- May cause compliance issues with security frameworks requiring complete session
Patches
Upgrade to version 2.10.0. After upgrading, users must update their AuthController implementation to use the new clear_session/2 function with their OTP app name. You will be prompted to do so with a compile-time error.
If you do not have the setting require_token_presence_for_authentication? set to true in the tokens section, you will see a separate error:
** (Spark.Error.DslError) authentication -> session_identifier:
Must set `authentication.session_identifier` to either `:jti` or `:unsafe`.
...
In order to revoke sessions on log out when not storing tokens directly in the session, we must have some unique identifier with which to do so. You should prefer to enable require_token_presence_for_authentication? if possible, instead of setting this to :jti. Note that whatever you do here, if you did not previously have require_token_presence_for_authentication? set to true, setting it to true or setting authentication.session_identifier to :jti will log out all of your currently authenticated users.
Workarounds
You can manually revoke tokens in your logout/2 handler in your auth controller.
Severity ?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.9.0"
},
"package": {
"ecosystem": "Hex",
"name": "ash_authentication_phoenix"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-4754"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-17T14:20:46Z",
"nvd_published_at": "2025-06-17T15:15:53Z",
"severity": "LOW"
},
"details": "### Impact\n\nSession tokens remain valid on the server after user logout, creating a security gap where:\n\n- Compromised tokens (via XSS, network interception, or device theft) continue to work even after the user logs out\n - The sessions stored in the database still expire, limiting the duration during which this could be exploited\n- Users cannot fully invalidate their sessions when logging out from shared or potentially compromised devices \n - by default, changing one\u0027s password *does* invalidate all other sessions, so changing your password as a security measure would have been effective\n- May cause compliance issues with security frameworks requiring complete session \n### Patches\nUpgrade to version 2.10.0. After upgrading, users must update their AuthController implementation to use the new `clear_session/2` function with their OTP app name. You will be prompted to do so with a compile-time error.\n\nIf you do not have the setting `require_token_presence_for_authentication?` set to `true` in the `tokens` section, you will see a separate error:\n\n```\n** (Spark.Error.DslError) authentication -\u003e session_identifier:\nMust set `authentication.session_identifier` to either `:jti` or `:unsafe`.\n\n...\n```\n\nIn order to revoke sessions on log out when not storing tokens directly in the session, we must have some unique identifier with which to do so. You should prefer to enable `require_token_presence_for_authentication?` if possible, instead of setting this to `:jti`. Note that whatever you do here, if you did not previously have `require_token_presence_for_authentication?` set to `true`, setting it to `true` *or* setting `authentication.session_identifier` to `:jti` will log out all of your currently authenticated users.\n\n### Workarounds\nYou can manually revoke tokens in your `logout/2` handler in your auth controller.",
"id": "GHSA-f7gq-h8jv-h3cq",
"modified": "2025-06-17T19:56:26Z",
"published": "2025-06-17T14:20:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/team-alembic/ash_authentication_phoenix/security/advisories/GHSA-f7gq-h8jv-h3cq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4754"
},
{
"type": "WEB",
"url": "https://github.com/team-alembic/ash_authentication_phoenix/pull/634"
},
{
"type": "WEB",
"url": "https://github.com/team-alembic/ash_authentication_phoenix/commit/a3253fb4fc7145aeb403537af1c24d3a8d51ffb1"
},
{
"type": "PACKAGE",
"url": "https://github.com/team-alembic/ash_authentication_phoenix"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ash_authentication_phoenix has Insufficient Session Expiration"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…