Medium severity6.1OSV Advisory· Published Oct 29, 2025· Updated Apr 15, 2026
CVE-2025-64100
CVE-2025-64100
Description
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, session ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie-based session storage by default). The attacker would need to either set a cookie on the victim's browser or steal the victim's currently valid session. Session identifiers are now regenerated after each login. This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ckanPyPI | >= 2.10.0, < 2.10.9 | 2.10.9 |
ckanPyPI | >= 2.11.0, < 2.11.4 | 2.11.4 |
Affected products
2Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.