Listen to this Post
How the CVE Works
This vulnerability occurs due to improper session token invalidation in Phoenix Framework. When a user logs out, their session tokens remain active on the server, allowing attackers to hijack sessions via stolen tokens (XSS, MITM, or physical access). The tokens eventually expire based on database settings, but until then, unauthorized access persists. Password changes do invalidate sessions, but explicit logout does not. Compliance risks arise as frameworks mandate full session termination.
DailyCVE Form
Platform: Phoenix Framework
Version: <2.10.0
Vulnerability: Session fixation
Severity: Critical
Date: 2023-05-15
Prediction: Patch expected 2023-06-10
What Undercode Say
Check session token validity defp validate_session(conn, _opts) do if get_session(conn, :user_token) && !revoked?(conn), do: conn, else: deny_access() end Manual token revocation (workaround) def logout(conn, _params) do revoke_token(get_session(conn, :user_token)) clear_session(conn) end
Exploit
- Steal token via XSS/MITM
- Reuse token post-logout
- Bypass authentication
Protection from this CVE
- Upgrade to v2.10.0
- Implement `clear_session/2`
– Enable `require_token_presence_for_authentication?`
Impact
- Session hijacking
- Compliance violations
- Delayed mitigation
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
