ghsa-qrm9-f75w-hg4c
Vulnerability from github
Published
2025-02-11 18:12
Modified
2025-02-11 21:40
Severity ?
6.3 (Medium) - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install`
Details

Impact

Applications which have been bootstrapped by the new igniter installer (since AshAuthentication v4.1.0) and who have used the magic link strategy, password resets, confirmation, or are manually revoking tokens are affected by revoked tokens being allowed to verify as valid. If you did not use the new installer, then you are absolutely not affected.

Additionally, unless you have implemented any kind of custom token revocation feature in your application (in which case even cursory testing would have uncovered this issue), then you will not be significantly affected.

The impact here for users is as follows:

  • For users using the magic link strategy, magic link tokens are reusable until they expire instead of being immediately revoked. By default magic link tokens are valid for 10 minutes.
  • For users of password resets in the password strategy, password reset tokens are reusable until they expire instead of being immediately revoked. By default password reset tokens are valid for 3 days.
  • For users of the confirmation add-on, confirmation tokens are reusable until they expire instead of being immediately revoked. By default password reset tokens are valid for 3 days.

Patches

The flaw is patched in version 4.4.9. Additionally a compile time warning is shown to users with remediation instructions if they upgrade. 4.4.9 ships with an upgrader, so if you use mix igniter.upgrade ash_authentication the necessary patch will be applied for you. Otherwise you can run the upgrader manually as described in the error message

Example

```elixir [warning] Warning while compiling Tunez.Accounts.Token:

The :jti and :token options to the :revoked? action must allow nil values and it must return a :boolean.

This was an error in our igniter installer previous to version 4.4.9, which allowed revoked tokens to be reused.

To fix this, run the following command in your shell:

mix ash_authentication.upgrade 4.4.8 4.4.9

Or:

  • remove allow_nil?: false from these action arguments, and
  • ensure that the action returns :boolean.

like so:

action :revoked?, :boolean do
  description "Returns true if a revocation token is found for the provided token"
  argument :token, :string, sensitive?: true
  argument :jti, :string, sensitive?: true

  run AshAuthentication.TokenResource.IsRevoked
end

```

Workarounds

Delete the generated :revoked? generic action in your token resource This will cause it to use the one internal to AshAuthentication which has always been correct. Alternatively, manually make the changes described above.

References

See the #ash_authentication channel on the Ash Discord.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "ash_authentication"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0"
            },
            {
              "fixed": "4.4.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-25202"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-11T18:12:33Z",
    "nvd_published_at": "2025-02-11T19:15:18Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nApplications which have been bootstrapped by the new igniter installer (since AshAuthentication v4.1.0) and who have used the magic link strategy, password resets, confirmation, or are manually revoking tokens are affected by revoked tokens being allowed to verify as valid. If you did not use the new installer, then you are absolutely not affected.\n\nAdditionally, unless you have implemented any kind of custom token revocation feature in your application (in which case even cursory testing would have uncovered this issue), then you will not be significantly affected. \n\nThe impact here for users is as follows:\n\n  - For users using the magic link strategy, magic link tokens are reusable until they expire instead of being immediately revoked. By default magic link tokens are valid for 10 minutes.\n  - For users of password resets in the password strategy, password reset tokens are reusable until they expire instead of being immediately revoked. By default password reset tokens are valid for 3 days.\n  - For users of the confirmation add-on, confirmation tokens are reusable until they expire instead of being immediately revoked. By default password reset tokens are valid for 3 days.\n\n### Patches\n\nThe flaw is patched in version 4.4.9. Additionally a compile time warning is shown to users with remediation instructions if they upgrade. 4.4.9 ships with an upgrader, so if you use `mix igniter.upgrade ash_authentication` the necessary patch will be applied for you. Otherwise you can run the upgrader manually as described in the error message\n\n#### Example\n```elixir\n[warning] Warning while compiling Tunez.Accounts.Token:\n\nThe `:jti` and `:token` options to the `:revoked?` action must allow nil values and it must return a `:boolean`.\n\nThis was an error in our igniter installer previous to version 4.4.9, which allowed revoked tokens to be reused.\n\nTo fix this, run the following command in your shell:\n\n    mix ash_authentication.upgrade 4.4.8 4.4.9\n\nOr:\n\n  - remove `allow_nil?: false` from these action arguments, and\n  - ensure that the action returns `:boolean`.\n\n  like so:\n\n    action :revoked?, :boolean do\n      description \"Returns true if a revocation token is found for the provided token\"\n      argument :token, :string, sensitive?: true\n      argument :jti, :string, sensitive?: true\n\n      run AshAuthentication.TokenResource.IsRevoked\n    end\n```\n\n### Workarounds\n\nDelete the generated `:revoked?` generic action in your token resource This will cause it to use the one internal to AshAuthentication which has always been correct. Alternatively,  manually make the changes described above.\n\n### References\n\nSee the `#ash_authentication` channel on the Ash Discord.",
  "id": "GHSA-qrm9-f75w-hg4c",
  "modified": "2025-02-11T21:40:09Z",
  "published": "2025-02-11T18:12:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-qrm9-f75w-hg4c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25202"
    },
    {
      "type": "WEB",
      "url": "https://github.com/team-alembic/ash_authentication/commit/2dee55252df26fe3d990ff1199397cdcf1bfea8a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/team-alembic/ash_authentication"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install`"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.