CVE-2025-25202

{"id": "CVE-2025-25202", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-02-11T19:15:18.690", "references": [{"url": "https://github.com/team-alembic/ash_authentication/commit/2dee55252df26fe3d990ff1199397cdcf1bfea8a", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-qrm9-f75w-hg4c", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "Ash Authentication is an authentication framework for Elixir applications. Applications which have been bootstrapped by the igniter installer present since AshAuthentication v4.1.0 and who have used the magic link strategy _or_ are manually revoking tokens are affected by revoked tokens being allowed to verify as valid. Unless one hase implemented any kind of custom token revocation feature in your application, then one will not be affected. The impact here for users using builtin functionality is that magic link tokens are reusable until they expire. With that said, magic link tokens are only valid for 10 minutes, so the surface area for abuse is extremely low here. The flaw is patched in version 4.4.9. Additionally a compile time warning is shown to users with remediation instructions if they upgrade. 4.4.9 ships with an upgrader, so those who use `mix igniter.upgrade ash_authentication` will have the necessary patch applied. Otherwise, one may run the upgrader manually as described in the error message. As a workaround, delete the generated `:revoked?` generic action in the token resource. This will cause it to use the one internal to Ash Authentication which has always been correct. Alternatively, manually make the changes that are included in the patch."}, {"lang": "es", "value": "Ash Authentication es un framework de autenticaci\u00f3n para aplicaciones Elixir. Las aplicaciones que se han iniciado con el instalador de Igniter presente desde AshAuthentication v4.1.0 y que han utilizado la estrategia de enlace m\u00e1gico _o_ est\u00e1n revocando tokens manualmente se ven afectadas por el hecho de que se permite que los tokens revocados se verifiquen como v\u00e1lidos. A menos que uno haya implementado alg\u00fan tipo de funci\u00f3n de revocaci\u00f3n de token personalizada en su aplicaci\u00f3n, no se ver\u00e1 afectado. El impacto aqu\u00ed para los usuarios que utilizan la funcionalidad incorporada es que los tokens de enlace m\u00e1gico se pueden reutilizar hasta que caduquen. Dicho esto, los tokens de enlace m\u00e1gico solo son v\u00e1lidos durante 10 minutos, por lo que la superficie de abuso es extremadamente baja aqu\u00ed. La falla se corrige en la versi\u00f3n 4.4.9. Adem\u00e1s, se muestra una advertencia de tiempo de compilaci\u00f3n a los usuarios con instrucciones de soluci\u00f3n si actualizan. 4.4.9 se env\u00eda con un actualizador, por lo que aquellos que usan `mix igniter.upgrade ash_authentication` tendr\u00e1n el parche necesario aplicado. De lo contrario, uno puede ejecutar el actualizador manualmente como se describe en el mensaje de error. Como workaround, elimine la acci\u00f3n gen\u00e9rica `:revoked?` generada en el recurso de token. Esto har\u00e1 que utilice la acci\u00f3n interna de Ash Authentication que siempre ha sido correcta. Como alternativa, realice manualmente los cambios que se incluyen en el parche. "}], "lastModified": "2025-08-27T13:23:48.317", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:alembic:ash_authentication:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "214BAFD4-B342-462A-8F23-D28951A7C869", "versionEndExcluding": "4.4.9", "versionStartIncluding": "4.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}