Vulnerability in Ash Authentication Framework for Elixir Applications
CVE-2025-25202

6.3MEDIUM

Key Information:

Vendor: Team-alembic
Status: Ash Authentication
Vendor: CVE Published:; 11 February 2025

🔔 Create Team-alembic Vulnerability Alert

What is CVE-2025-25202?

Ash Authentication, an authentication framework for Elixir applications, has a vulnerability that allows magic link tokens to be reused for validation under specific conditions. Applications created using the igniter installer of AshAuthentication from v4.1.0 onwards, which implement the 'magic link' login strategy or manually revoke tokens, may find that these revoked tokens can still authenticate users. Although the valid duration of magic link tokens is only 10 minutes, leaving a narrow window for exploitation, vulnerabilities should be addressed urgently. The issue is resolved in version 4.4.9, which includes an upgrader tool, encouraging users to implement the patch by running mix igniter.upgrade ash_authentication. For those not using the built-in functionality or who have custom token revocation methods, the impact may vary. Users are recommended to follow the remediation guidance provided in the compiler warning upon upgrading.

Affected Version(s)

ash_authentication >= 4.1.0, < 4.4.9

References

https://github.com/team-alembic/ash_authentication/securi...

x_refsource_CONFIRM

https://github.com/team-alembic/ash_authentication/commit...

x_refsource_MISC

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 11, 2025
Vulnerability Reserved
Feb 3, 2025

CVE-2025-25202 Data

JSON