CVE-2021-25985 – CVE-2021-25985 is a session management vulnerab... (How to Fix)

Q: What is the severity of CVE-2021-25985?

CVE-2021-25985 has a CVSS score of 7.8 (HIGH). CVE-2021-25985 is a session management vulnerability in Factor (App Framework & Headless CMS) where user sessions are not properly invalidated after logout and are stored in browser local storage without expiration. This allows attackers to steal session tokens via XSS attacks and hijack user accounts. Users of Factor v1.0.4 through v1.8.30 are affected.

📋 TL;DR

CVE-2021-25985 is a session management vulnerability in Factor (App Framework & Headless CMS) where user sessions are not properly invalidated after logout and are stored in browser local storage without expiration. This allows attackers to steal session tokens via XSS attacks and hijack user accounts. Users of Factor v1.0.4 through v1.8.30 are affected.

💻 Affected Systems

Products:

Factor (App Framework & Headless CMS)

Versions: v1.0.4 to v1.8.30

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using affected versions with default session storage configuration are vulnerable.

📦 What is this software?

Factor by Darwin

View all CVEs affecting Factor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover of any user, including administrators, leading to data theft, privilege escalation, and full system compromise.

🟠

Likely Case

Attacker steals user sessions via XSS, gains unauthorized access to user accounts, and performs actions as the victim.

🟢

If Mitigated

Limited impact with proper session management, secure cookie settings, and XSS protections in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires XSS vector to steal session tokens from local storage, then session reuse for account takeover.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.8.31 and later

Vendor Advisory: https://github.com/FactorJS/factor/security/advisories

Restart Required: Yes

Instructions:

1. Update Factor to v1.8.31 or later. 2. Restart the application server. 3. Force all users to re-authenticate to invalidate old sessions.

🔧 Temporary Workarounds

Implement server-side session storage

all

Replace browser local storage session management with secure server-side sessions using HTTP-only, secure cookies.

Add session expiration

all

Implement automatic session expiration and proper logout handling that invalidates sessions server-side.

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) to prevent XSS attacks
Deploy web application firewall (WAF) rules to detect and block session hijacking attempts

🔍 How to Verify

Check if Vulnerable:

Check Factor version in package.json or via application admin panel. If version is between 1.0.4 and 1.8.30 inclusive, system is vulnerable.

Check Version:

Check package.json for "@factor/core" version or run: npm list @factor/core

Verify Fix Applied:

Verify Factor version is 1.8.31 or later and test that sessions are properly invalidated after logout.

📡 Detection & Monitoring

Log Indicators:

Multiple successful logins from same session ID from different IPs
Session reuse after logout events
Unusual user activity patterns

Network Indicators:

XSS payloads in HTTP requests
Session token theft attempts

SIEM Query:

source="web_logs" AND (event="session_reuse" OR event="multiple_ips_same_session")

📊 Metadata

CVE ID: CVE-2021-25985

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-613

Published: November 16, 2021

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25985, you might also want to check these: