VYPR
Get started
← All advisories
Medium severity6.1OSV Advisory· Published Oct 29, 2025· Updated Apr 15, 2026

CVE-2025-64100

CVE-2025-64100

Description

CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, session ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie-based session storage by default). The attacker would need to either set a cookie on the victim's browser or steal the victim's currently valid session. Session identifiers are now regenerated after each login. This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ckanPyPI
>= 2.10.0, < 2.10.92.10.9
ckanPyPI
>= 2.11.0, < 2.11.42.11.4

Affected products

1
  • Ckan/CkanOSV
    Range: ckan-1.3.3b, ckan-1.4.3, ckan-1.5, …

Patches

1
c2fe437f88be

Merge commit from fork

https://github.com/ckan/ckanAdrià MercaderOct 29, 2025via ghsa
commit
2 files changed · +35 1
  • ckan/tests/config/test_sessions.py+32 0 modified
    @@ -112,6 +112,38 @@ def test_redis_storage(self, app: CKANTestApp, monkeypatch):
 
         assert redis.keys("*") == [f"session:{cookie.group(1)}".encode()]
 
+    @pytest.mark.ckan_config("SESSION_TYPE", "redis")
+    def test_redis_session_fixation(self, app: CKANTestApp, monkeypatch, user_factory, faker):
+        """Session id is regenerated on login
+        """
+
+        # app convenience functions use separate test client for each request
+        # so cookies aren't saved.
+        test_client = app.test_client()
+
+        response = test_client.get("/")
+        orig_cookie = re.match(r'ckan=([^;]+)', response.headers['set-cookie'])
+        assert orig_cookie
+        cookie_header = 'ckan=%s' % orig_cookie.group(1)
+        same_session = test_client.get("/")
+        # assert that we're using the same session prior to logging in.
+        assert same_session.request.headers['cookie'] == cookie_header
+        password = faker.password()
+        user = user_factory(password=password)
+
+        login_response = test_client.post(h.url_for("user.login"),
+                                          follow_redirects=False,
+                                          data={
+                                              "login": user["name"],
+                                              "password": password,
+                                          }
+                                          )
+
+        assert 'set-cookie' in login_response.headers
+        login_cookie = re.match(r'ckan=([^;]+)', login_response.headers['set-cookie'])
+        # assert that we're setting a new cookie on login.
+        assert login_cookie.group(1) != orig_cookie.group(1)
+
     @pytest.mark.usefixtures("test_request_context")
     def test_cookie_storage(self, app: CKANTestApp, user_factory, faker):
         """User's ID added to session cookie upon login
  • ckan/views/user.py+3 1 modified
    @@ -4,7 +4,7 @@
 import logging
 from typing import Any, Optional, Union
 
-from flask import Blueprint
+from flask import Blueprint, current_app
 from flask.views import MethodView
 from ckan.common import asbool
 
@@ -547,6 +547,8 @@ def login() -> Union[Response, str]:
         user_obj = authenticator.ckan_authenticator(identity)
         if user_obj:
             next = request.args.get('next', request.args.get('came_from'))
+            if hasattr(current_app.session_interface, 'regenerate'):
+                current_app.session_interface.regenerate(session)
             if _remember:
                 from datetime import timedelta
                 duration_time = timedelta(milliseconds=int(_remember))

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.