VYPR
Medium severity6.1OSV Advisory· Published Oct 29, 2025· Updated Apr 15, 2026

CVE-2025-64100

CVE-2025-64100

Description

CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, session ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie-based session storage by default). The attacker would need to either set a cookie on the victim's browser or steal the victim's currently valid session. Session identifiers are now regenerated after each login. This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ckanPyPI
>= 2.10.0, < 2.10.92.10.9
ckanPyPI
>= 2.11.0, < 2.11.42.11.4

Affected products

2
  • Range: ckan-1.3.3b, ckan-1.4.3, ckan-1.5, …
  • ghsa-coords
    Range: >= 2.10.0, < 2.10.9

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.