CVE-2025-25202

Name of the Vulnerable Software and Affected Versions AshAuthentication versions 4.1.0 through 4.4.8

Description The issue affects applications that have been bootstrapped by the new igniter installer since AshAuthentication v4.1.0 and have used the magic link strategy or are manually revoking tokens. Revoked tokens are allowed to verify as valid, but the impact is low due to the short validity period of magic link tokens, which is 10 minutes by default. The flaw also affects password resets and confirmation tokens, which are reusable until they expire instead of being immediately revoked.

Recommendations For versions 4.1.0 through 4.4.8, upgrade to version 4.4.9, which includes a patch for the issue. Alternatively, run the upgrader manually using mix ash authentication.upgrade 4.4.8 4.4.9 or delete the generated :revoked? generic action in the token resource to use the internal correct version. As a temporary workaround, consider removing allow nil?: false from the action arguments and ensuring the action returns :boolean.