CVE-2025-25202 - Ash Authentication Revoked Token Vulnerability in Elixir Applications

Summary: Ash Authentication, a popular Elixir-based authentication framework, is affected by a vulnerability (CVE-2025-25202) that allows revoked tokens to remain valid. Applications bootstrapped since AshAuthentication v4.1. using the magic link strategy or manually revoking tokens may be affected. The vulnerability has been patched in version 4.4.9, and a workaround is available.

Body

Ash Authentication is a widely-used authentication framework for Elixir applications. However, it has been discovered that applications using the igniter installer from AshAuthentication v4.1. and onwards, which use the magic link strategy or manually revoke tokens, are potentially vulnerable to an issue involving revoked tokens still being considered valid.

The official announcement, along with details on the vulnerability and its impact, can be found in this GitHub issue.

If your application doesn't implement any custom token revocation features, then you are not affected. However, if you use built-in functionality, the problem is that magic link tokens will be reusable until they expire, which happens after 10 minutes. While the risk for abuse is relatively low, it's still something to be aware of and remediate.

To fix this vulnerability, it is recommended to upgrade to AshAuthentication v4.4.9, which includes a patch and a compile-time warning. The patched version also includes an upgrader, and users who run mix igniter.upgrade ash_authentication will have the necessary patch applied. If you prefer, you can manually apply the upgrader by following the instructions in the error message.

To work around this issue without upgrading, you may delete the generated :revoked? generic action in the token resource. Doing so will cause the framework to use the internal :revoked? action in Ash Authentication, which has always been correct. Another option is to manually make the changes included in the patch:

Example code snippet (patch)

  # token.ex
  def action(action, _, conn, resource(options)) do
    case action do
      :revoked? ->
        {
          :pipeline,
          [
            {AshAuthentication.Pipeline.Revoked, :revoked?},
            {Ash.Authorization, :authorize}
          ]
        }
      _ ->
        super(action, conn, resource(options))
    end
  end

Remember to replace token.ex with the proper resource file path in your application. Also, don't forget to thoroughly test your application after implementing the changes to ensure that everything works as expected.

Stay secure and keep updating your applications to mitigate risks and protect users!

Timeline

Published on: 02/11/2025 19:15:18 UTC