GHSA-f7gq-h8jv-h3cq
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f7gq-h8jv-h3cq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-f7gq-h8jv-h3cq/GHSA-f7gq-h8jv-h3cq.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f7gq-h8jv-h3cq
- Aliases
-
- CVE-2025-4754
- Published
- 2025-06-17T14:20:46Z
- Modified
- 2025-06-17T19:56:26Z
- Severity
-
- 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- ash_authentication_phoenix has Insufficient Session Expiration
- Details
-
Impact
Session tokens remain valid on the server after user logout, creating a security gap where:
- Compromised tokens (via XSS, network interception, or device theft) continue to work even after the user logs out
- The sessions stored in the database still expire, limiting the duration during which this could be exploited
- Users cannot fully invalidate their sessions when logging out from shared or potentially compromised devices
- by default, changing one's password does invalidate all other sessions, so changing your password as a security measure would have been effective
- May cause compliance issues with security frameworks requiring complete session
Patches
Upgrade to version 2.10.0. After upgrading, users must update their AuthController implementation to use the new
clear_session/2function with their OTP app name. You will be prompted to do so with a compile-time error.If you do not have the setting
require_token_presence_for_authentication?set totruein thetokenssection, you will see a separate error:** (Spark.Error.DslError) authentication -> session_identifier: Must set `authentication.session_identifier` to either `:jti` or `:unsafe`. ...In order to revoke sessions on log out when not storing tokens directly in the session, we must have some unique identifier with which to do so. You should prefer to enable
require_token_presence_for_authentication?if possible, instead of setting this to:jti. Note that whatever you do here, if you did not previously haverequire_token_presence_for_authentication?set totrue, setting it totrueor settingauthentication.session_identifierto:jtiwill log out all of your currently authenticated users.Workarounds
You can manually revoke tokens in your
logout/2handler in your auth controller. - Compromised tokens (via XSS, network interception, or device theft) continue to work even after the user logs out
- Database specific
{ "nvd_published_at": "2025-06-17T15:15:53Z", "cwe_ids": [ "CWE-613" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2025-06-17T14:20:46Z" }- References
-
- https://github.com/team-alembic/ash_authentication_phoenix/security/advisories/GHSA-f7gq-h8jv-h3cq
- https://nvd.nist.gov/vuln/detail/CVE-2025-4754
- https://github.com/team-alembic/ash_authentication_phoenix/pull/634
- https://github.com/team-alembic/ash_authentication_phoenix/commit/a3253fb4fc7145aeb403537af1c24d3a8d51ffb1
- https://github.com/team-alembic/ash_authentication_phoenix
Affected packages
Hex / ash_authentication_phoenix
Package
- Name
- ash_authentication_phoenix
- Purl
- pkg:hex/ash_authentication_phoenix