N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-4754

CVE-2025-4754: ash_authentication_phoenix has Insufficient Session Expiration

Impact

Session tokens remain valid on the server after user logout, creating a security gap where:

Compromised tokens (via XSS, network interception, or device theft) continue to work even after the user logs out
- The sessions stored in the database still expire, limiting the duration during which this could be exploited
Users cannot fully invalidate their sessions when logging out from shared or potentially compromised devices
- by default, changing one's password does invalidate all other sessions, so changing your password as a security measure would have been effective
May cause compliance issues with security frameworks requiring complete session

Patches

Upgrade to version 2.10.0. After upgrading, users must update their AuthController implementation to use the new clear_session/2 function with their OTP app name. You will be prompted to do so with a compile-time error.

If you do not have the setting require_token_presence_for_authentication? set to true in the tokens section, you will see a separate error:

** (Spark.Error.DslError) authentication -> session_identifier:
Must set `authentication.session_identifier` to either `:jti` or `:unsafe`.

...

In order to revoke sessions on log out when not storing tokens directly in the session, we must have some unique identifier with which to do so. You should prefer to enable require_token_presence_for_authentication? if possible, instead of setting this to :jti. Note that whatever you do here, if you did not previously have require_token_presence_for_authentication? set to true, setting it to true or setting authentication.session_identifier to :jti will log out all of your currently authenticated users.

Workarounds

You can manually revoke tokens in your logout/2 handler in your auth controller.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-4754

CVE-2025-4754:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ash_authentication_phoenix	erlang	<= 2.9.0	2.10.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability (CVE-2025-4754, GHSA-f7gq-h8jv-h3cq) in ash_authentication_phoenix prior to version 2.10.0 was an insufficient session expiration issue. Specifically, when a user logged out, the session token was not invalidated on the server. This meant that compromised tokens could be reused until their server-side expiration.

The root cause was traced to the default sign_out/2 function provided by AshAuthentication.Phoenix.Controller. This function, when used by applications, would call clear_session() which, in this context, was an alias for Plug.Conn.clear_session/1. This Elixir Plug function only clears session data from the connection (typically client-side cookies) but does not perform any server-side token revocation.

The patch addresses this by:

Removing the default, vulnerable sign_out/2 implementation from AshAuthentication.Phoenix.Controller. This forces developers to explicitly handle the sign-out logic.
Introducing a new function AshAuthentication.Phoenix.Controller.clear_session/2 which, unlike the old clear_session/1 (which was Plug.Conn.clear_session/1), explicitly calls helper functions (Helpers.revoke_bearer_tokens/2 and Helpers.revoke_session_tokens/2) to invalidate tokens on the server before clearing the client-side session with Plug.Conn.clear_session/1.
Adding a macro clear_session/1 to AshAuthentication.Phoenix.Controller that raises a compile-time error, guiding users to adopt the new clear_session/2 function.

Therefore, the primary vulnerable function was the library's default AshAuthentication.Phoenix.Controller.sign_out/2 due to its incomplete logout procedure. During exploitation, a call to this function (or a user-defined sign_out function that similarly only called Plug.Conn.clear_session/1) would appear in runtime profiles, leading to the session remaining active on the server.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-4754: ash_authentication_phoenix has Insufficient Session Expiration

Impact

Patches

Workarounds

CVE-2025-4754:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-4754: ash_authentication_phoenix has Insufficient Session Expiration

Impact

Patches

Workarounds

Technical Details

N/A

N/A

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI