Plattform
other
Komponente
ash_authentication
Behoben in
4.1.1
CVE-2025-25202 is a vulnerability affecting Ash Authentication, an authentication framework for Elixir applications. This issue allows for the replay of revoked tokens, specifically impacting applications using the magic link strategy or those manually revoking tokens. The vulnerability affects versions 4.1.0 through 4.4.8 and is resolved in version 4.4.9.
The core of this vulnerability lies in the handling of token revocation within Ash Authentication. Specifically, applications leveraging the built-in magic link functionality are susceptible. An attacker who has previously obtained a magic link token can reuse it even after it has been revoked, effectively bypassing the intended security measure. This allows them to authenticate as the user associated with the token without proper authorization. The potential impact extends beyond simple authentication bypass; an attacker could gain access to sensitive user data, perform actions on behalf of the user, and potentially compromise the entire application, depending on the permissions granted to authenticated users. While custom token revocation implementations are not affected, many applications rely on the default behavior, making them vulnerable.
This vulnerability was publicly disclosed on 2025-02-11. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The probability of exploitation is currently considered low, but the ease of exploitation (requiring only a previously obtained token) warrants attention.
Elixir applications utilizing Ash Authentication, particularly those employing the magic link authentication strategy or implementing custom token revocation mechanisms, are at risk. Shared hosting environments where multiple applications share the same Ash Authentication instance could also amplify the potential impact.
disclosure
Exploit-Status
EPSS
0.16% (37% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-25202 is to upgrade Ash Authentication to version 4.4.9 or later. This version includes a fix that prevents the reuse of revoked tokens. If an immediate upgrade is not feasible, consider implementing custom token revocation logic within your application to ensure that revoked tokens are properly invalidated. While not a direct fix, temporarily disabling the magic link functionality can reduce the attack surface. Monitor application logs for suspicious authentication attempts, particularly those involving tokens that should have been revoked. After upgrading, confirm the fix by attempting to reuse a previously revoked token – it should be rejected.
Actualice a la versión 4.4.9 o superior. Si está utilizando el instalador `mix ash_authentication.install`, ejecute `mix igniter.upgrade ash_authentication` para aplicar el parche. Alternativamente, elimine la acción genérica `:revoked?` en el recurso de token o aplique manualmente los cambios incluidos en el parche.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-25202 is a vulnerability in Ash Authentication affecting versions 4.1.0 through 4.4.8. It allows revoked tokens to be reused, potentially granting unauthorized access.
You are affected if your Elixir application uses Ash Authentication versions 4.1.0 to 4.4.8 and utilizes the magic link strategy or manual token revocation.
Upgrade Ash Authentication to version 4.4.9 or later. If immediate upgrade is not possible, implement custom token revocation logic.
There are currently no confirmed reports of active exploitation, but the vulnerability's potential impact warrants prompt mitigation.
Refer to the Ash Authentication project's official repository and documentation for the latest advisory and security updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.