Critical severityNVD Advisory· Published Nov 8, 2021· Updated Apr 30, 2025
Apostrophe - Insufficient Session Expiration
CVE-2021-25979
Description
Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account in question can be archived (3.x) or moved to the trash (2.x and earlier) which does disable the existing session.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apostrophenpm | >= 2.63.0, < 3.4.0 | 3.4.0 |
Affected products
1- Range: unspecified
Patches
1c211b211f9f4session object should exist in task reqs for better compatibility
2 files changed · +4 −3
modules/@apostrophecms/i18n/index.js+2 −2 modified@@ -467,9 +467,9 @@ module.exports = { debug: self.debug, show: self.show, action: self.action, - crossDomainClipboard: req.session.aposCrossDomainClipboard + crossDomainClipboard: req.session && req.session.aposCrossDomainClipboard }; - if (req.session.aposCrossDomainClipboard) { + if (req.session && req.session.aposCrossDomainClipboard) { req.session.aposCrossDomainClipboard = null; } return result;
modules/@apostrophecms/task/index.js+2 −1 modified@@ -214,7 +214,8 @@ module.exports = { Use req.t instead. `); return key; - } + }, + session: {} }; addCloneMethod(req); req.res.__ = req.__;
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-9j9m-8wjc-ff96ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25979ghsaADVISORY
- github.com/apostrophecms/apostrophe/commit/c211b211f9f4303a77a307cf41aac9b4ef8d2c7cghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.