CVE-2025-4754

Name of the Vulnerable Software and Affected Versions ash-project ash authentication phoenix versions prior to 2.10.0

Description The issue affects the ash authentication phoenix library, where session tokens remain valid on the server after a user logs out. This creates a security gap where compromised tokens can continue to work, even after the user logs out. The sessions stored in the database still expire, limiting the duration during which this could be exploited. Users cannot fully invalidate their sessions when logging out from shared or potentially compromised devices. However, changing one's password does invalidate all other sessions. This may cause compliance issues with security frameworks requiring complete session invalidation.

Recommendations Upgrade to version 2.10.0. After upgrading, update the AuthController implementation to use the new clear session/2 function with the OTP app name. If the setting require token presence for authentication? is not set to true in the tokens section, enable it if possible, or set authentication.session identifier to :jti. Note that setting require token presence for authentication? to true or setting authentication.session identifier to :jti will log out all currently authenticated users if this was not previously configured. As a temporary workaround, manually revoke tokens in the logout/2 handler in the auth controller.