6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-64100

GHSA ID

GHSA-2hvh-cw5c-8q8q

EPSS Score

CWE

CWE-384

Published

10/29/2025

Updated

10/29/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64100

CVE-2025-64100: CKAN vulnerable to fixed session IDs

Impact

Session ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie-based session storage by default). The attacker would need to either set a cookie on the victim's browser or steal the victim's currently valid session. Session identifiers are now regenerated after each login.

Patches

This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4

References

https://en.wikipedia.org/wiki/Session_fixation

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-64100

GHSA ID

GHSA-2hvh-cw5c-8q8q

EPSS Score

CWE

CWE-384

Published

10/29/2025

Updated

10/29/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ckan	pip	>= 2.10.0, < 2.10.9	2.10.9
ckan	pip	>= 2.11.0, < 2.11.4	2.11.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability described is a session fixation issue in CKAN, where session identifiers were not regenerated after a user logs in. This could allow an attacker to hijack a user's session. The provided commit c2fe437f88be850a6edf7a32470772428819fab5 directly addresses this vulnerability. The patch modifies the login function in ckan/views/user.py to explicitly regenerate the session after successful authentication by calling current_app.session_interface.regenerate(session). The absence of this session regeneration logic in the login function is the root cause of the vulnerability. Therefore, the login function is the vulnerable function that would be observed in a runtime profile when the vulnerability is exploited (i.e., when a user logs in with a fixated session ID).

Vulnerable functions

login

ckan/views/user.py

The `login` function was vulnerable to session fixation. Before the patch, it did not regenerate the session ID after a user successfully authenticated. This allowed an attacker to potentially hijack a user's session if they could fixate the session ID in the victim's browser. The patch adds a call to regenerate the session, mitigating the vulnerability.

WAF Protection Rules

WAF Rule

### Imp**t S*ssion i*s *oul* ** *ix** *y *n *tt**k*r i* t** sit* is *on*i*ur** wit* s*rv*r-si** s*ssion stor*** (*K*N us*s *ooki*-**s** s*ssion stor*** *y ****ult). T** *tt**k*r woul* n*** to *it**r s*t * *ooki* on t** vi*tim's *rows*r or st**l t**

Reasoning

T** vuln*r**ility **s*ri*** is * s*ssion *ix*tion issu* in *K*N, w**r* s*ssion i**nti*i*rs w*r* not r***n*r*t** **t*r * us*r lo*s in. T*is *oul* *llow *n *tt**k*r to *ij**k * us*r's s*ssion. T** provi*** *ommit `**************************************

6.1

Basic Information

Concerned about an active attack path?

CVE-2025-64100: CKAN vulnerable to fixed session IDs

Impact

Patches

References

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI