CVE-2025-64100
📋 TL;DR
This vulnerability allows attackers to fix session IDs in CKAN when server-side session storage is configured, enabling session fixation attacks. Attackers could hijack user sessions by setting a cookie or stealing a valid session. Only CKAN instances using server-side session storage are affected (cookie-based storage is the default).
💻 Affected Systems
- CKAN
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could gain unauthorized administrative access to the CKAN portal, potentially compromising sensitive data, modifying datasets, or disrupting data portal operations.
Likely Case
Attackers could hijack regular user sessions to access or modify data they shouldn't have permission to view, leading to data integrity issues and privacy violations.
If Mitigated
With proper session management controls and monitoring, impact would be limited to temporary session hijacking that could be detected and terminated.
🎯 Exploit Status
Requires attacker to either set a cookie on victim's browser or steal a valid session, plus server-side session storage configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.10.9 or 2.11.4
Vendor Advisory: https://github.com/ckan/ckan/security/advisories/GHSA-2hvh-cw5c-8q8q
Restart Required: No
Instructions:
1. Upgrade CKAN to version 2.10.9 (for 2.10.x branch) or 2.11.4 (for 2.11.x branch). 2. Verify session regeneration is working after login. 3. Consider forcing all users to re-authenticate after upgrade.
🔧 Temporary Workarounds
Switch to cookie-based sessions
allConfigure CKAN to use cookie-based session storage instead of server-side session storage
Set beaker.session.type = cookie in CKAN configuration
Implement session timeout
allReduce session lifetime to minimize window for exploitation
Set beaker.session.timeout = 3600 (or lower) in CKAN configuration
🧯 If You Can't Patch
- Switch to cookie-based session storage configuration immediately
- Implement strict session monitoring and alerting for suspicious session activity
🔍 How to Verify
Check if Vulnerable:
Check CKAN version and session storage configuration. If version < 2.10.9 or < 2.11.4 AND using server-side session storage, you are vulnerable.Check Version:
paster --plugin=ckan sysadmin --config=/etc/ckan/default/production.ini 2>/dev/null | grep 'CKAN version' || ckan --versionVerify Fix Applied:
After patching, verify that session IDs change after each login attempt and that server-side session storage still works correctly.📡 Detection & Monitoring
Log Indicators:
- Multiple login attempts with same session ID
- Session IDs not changing after login
- Unexpected session reuse from different IP addresses
Network Indicators:
- Cookie manipulation attempts
- Session fixation patterns in HTTP requests
SIEM Query:
source="ckan" AND (event="login" OR event="session") | stats count by session_id | where count > 1