GHSA-7hgr-xvrr-xpw3
nhost has Session Persistence After Password Change
Blast Radius
github.com/nhost/nhostReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Description
When a user changes their password, either through the authenticated password change endpoint or a password reset ticket, the ChangePassword workflow correctly hashes and persists the new password via UpdateUserChangePassword. However, it does not revoke existing sessions. The auth.refresh_tokens and auth.oauth2_refresh_tokens tables are left untouched, meaning all previously issued refresh tokens remain valid and can continue generating new access tokens indefinitely.
This vulnerability affects all password change paths (handled in change_user_password.go), since they share the same underlying workflow:
- Authenticated password change via the Nhost dashboard or client SDK
- Ticket-based password reset (magic links / recovery flows)
- OAuth2/OIDC sessions managed via
auth.oauth2_refresh_tokens
Attack Scenario
- An attacker steals a victim's refresh token via XSS or a compromised device.
- The victim changes their password, expecting it to terminate all active sessions.
- The server updates
password_hashbut performs no session cleanup, the stolen token remains fully functional.
Impact
The attacker retains persistent access even after the victim's password change. This is especially severe in credential theft scenarios, where the victim's only recovery action does nothing against an active session. Depending on configured TTL, the attacker's window could be days or weeks.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/nhost/nhost | all versions | 0.0.0-20260430132514-52c70664a7e9 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/nhost/nhost. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/nhost/nhost to 0.0.0-20260430132514-52c70664a7e9 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-7hgr-xvrr-xpw3 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-7hgr-xvrr-xpw3 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-7hgr-xvrr-xpw3. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-7hgr-xvrr-xpw3 in your dependencies?
O3 detects GHSA-7hgr-xvrr-xpw3 across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.