Platform
other
Component
ash_authentication
Fixed in
4.1.1
CVE-2025-25202 is a vulnerability affecting Ash Authentication, an authentication framework for Elixir applications. This issue allows for the replay of revoked tokens, specifically impacting applications using the magic link strategy or those manually revoking tokens. The vulnerability affects versions 4.1.0 through 4.4.8 and is resolved in version 4.4.9.
The core impact of CVE-2025-25202 lies in the ability for an attacker to reuse revoked tokens. In applications utilizing Ash Authentication's magic link functionality, a revoked token can still be used to authenticate a user until its expiration time. This effectively bypasses the intended security measure of token revocation. For applications implementing manual token revocation, the same vulnerability exists – a revoked token remains valid until it expires. This could lead to unauthorized access to user accounts and sensitive data, potentially enabling attackers to impersonate legitimate users and perform actions on their behalf. The blast radius is limited to applications directly using Ash Authentication and its token management features.
This CVE was publicly disclosed on 2025-02-11. There are currently no known public proof-of-concept exploits available. The vulnerability's impact is contingent on the application's use of the magic link strategy or manual token revocation, limiting the immediate exploitation probability. It is not listed on the CISA KEV catalog at the time of writing.
Exploit Status
EPSS
0.16% (37% percentile)
CISA SSVC
The primary mitigation for CVE-2025-25202 is to upgrade Ash Authentication to version 4.4.9 or later. This version includes a fix that prevents the reuse of revoked tokens. If upgrading is not immediately feasible, consider implementing custom token revocation logic within your application to ensure that revoked tokens are immediately invalidated. While a direct WAF rule is unlikely to be effective, reviewing and tightening access control policies can help limit the potential damage from a successful token replay attack. After upgrading, confirm the fix by attempting to reuse a previously revoked token – it should be rejected.
Actualice a la versión 4.4.9 o superior. Si está utilizando el instalador `mix ash_authentication.install`, ejecute `mix igniter.upgrade ash_authentication` para aplicar el parche. Alternativamente, elimine la acción genérica `:revoked?` en el recurso de token o aplique manualmente los cambios incluidos en el parche.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-25202 is a vulnerability in Ash Authentication affecting versions 4.1.0 through 4.4.8. It allows revoked tokens to be reused, potentially granting unauthorized access.
You are affected if your Elixir application uses Ash Authentication versions 4.1.0 to 4.4.8 and utilizes the magic link strategy or manual token revocation.
Upgrade Ash Authentication to version 4.4.9 or later. If immediate upgrade is not possible, implement custom token revocation logic.
There are currently no confirmed reports of active exploitation, but the vulnerability's potential impact warrants prompt mitigation.
Refer to the Ash Authentication project's official repository and documentation for the latest advisory and security updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.