Hydro: Insufficient session expiration when recreating sessions
Description
Impact
Hydro contains an insufficient session expiration vulnerability in its session recreation logic. When a session is recreated, including during logout or other session renewal flows, Hydro creates a new session token but does not delete the previous server-side session token.
As a result, an old sid cookie may remain valid even after the legitimate user logs out or the session is recreated. An attacker who has obtained a victim's previous sid cookie can replay that cookie over HTTP or HTTPS and continue to access the affected Hydro instance as the victim.
The attacker does not need the victim's username or password. Exploitation requires possession of a previously valid stale sid cookie, but no user interaction is required at exploitation time.
Successful exploitation may allow account takeover within the affected Hydro instance. For a normal user account, this may allow disclosure of private data and unauthorized modification or deletion of data available to the victim.
Patches
The issue has been patched by deleting the old server-side session token before creating a new one during session recreation.
Patched in:
- Pull request: https://github.com/hydro-dev/Hydro/pull/1173
- Patch commit: https://github.com/hydro-dev/Hydro/commit/8450390fcce5f7dc3f11c43a14f1d76dbb949a0d
- Merge commit: https://github.com/hydro-dev/Hydro/commit/8d76be8f0b83d911bf7671962b0467e9d4b5719a
Users should upgrade to a version containing this patch.
Workarounds
If upgrading immediately is not possible, administrators should reduce the risk by forcing all existing sessions to expire or by clearing the server-side session token store after applying a local patch.
Administrators should also review logs for suspicious use of stale sid cookies and rotate any exposed session cookies. However, these mitigations do not fully fix the vulnerability. The recommended remediation is to upgrade to a patched version.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing deletion of the old server-side session token during session recreation allows stale sid cookies to remain valid."
Attack vector
An attacker who has obtained a victim's previously valid `sid` cookie can replay that cookie over HTTP or HTTPS to the Hydro instance. Because the old server-side session token is not deleted when a session is recreated (e.g., during logout or session renewal), the stale token remains valid. The attacker does not need the victim's username or password, and no user interaction is required at exploitation time [ref_id=1].
What the fix does
The patch adds a single line `if (ctx.session._id) await token.del(ctx.session._id, token.TYPE_SESSION);` in the `else` branch of the session recreation logic in `packages/hydrooj/src/service/layers/base.ts` [patch_id=6467410][patch_id=6467411]. Before creating a new session token, the old server-side session token is now explicitly deleted. This ensures that a stale `sid` cookie cannot be replayed after a session is recreated, closing the insufficient session expiration vulnerability.
Preconditions
- inputAttacker must possess a previously valid stale sid cookie from the victim's session.
- inputThe victim must have performed a session recreation (e.g., logout or session renewal) that left the old server-side token undeleted.
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-94jp-7776-qj6qghsaADVISORY
- github.com/hydro-dev/Hydro/commit/8450390fcce5f7dc3f11c43a14f1d76dbb949a0dghsa
- github.com/hydro-dev/Hydro/commit/8d76be8f0b83d911bf7671962b0467e9d4b5719aghsa
- github.com/hydro-dev/Hydro/pull/1173ghsa
- github.com/hydro-dev/Hydro/security/advisories/GHSA-94jp-7776-qj6qghsa
News mentions
0No linked articles in our index yet.