7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-2306

GHSA ID

GHSA-xv59-gc3r-rf92

EPSS Score

0.46705%

CWE

CWE-613

Published

7/6/2022

Updated

1/27/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-2306

CVE-2022-2306: Insufficient Session Expiration in Nakama

Old session tokens can be used to authenticate to the application and send authenticated requests.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-2306

GHSA ID

GHSA-xv59-gc3r-rf92

EPSS Score

0.46705%

CWE

CWE-613

Published

7/6/2022

Updated

1/27/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/heroiclabs/nakama	go	<= 3.12.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from insufficient session expiration during logout. The GitHub commit added a new AuthenticateLogout RPC endpoint and session cache cleanup, indicating that previous versions lacked proper token invalidation. The core issue was in session validation logic (console_authenticate.go) that didn't check for explicit invalidation, and session cache management (session_cache.go) that retained tokens after logout. These functions together allowed old tokens to remain valid indefinitely.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Ol* s*ssion tok*ns **n ** us** to *ut**nti**t* to t** *ppli**tion *n* s*n* *ut**nti**t** r*qu*sts.

Reasoning

T** vuln*r**ility st*mm** *rom insu**i*i*nt s*ssion *xpir*tion *urin* lo*out. T** *it*u* *ommit ***** * n*w *ut**nti**t*Lo*out RP* *n*point *n* s*ssion ***** *l**nup, in*i**tin* t**t pr*vious v*rsions l**k** prop*r tok*n inv*li**tion. T** *or* issu*

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-2306: Insufficient Session Expiration in Nakama

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI