GHSA-f7gq-h8jv-h3cq
ash_authentication_phoenix has Insufficient Session Expiration
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
ash_authentication_phoenixReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Hex packages — download data is not available via public APIs for these ecosystems.
Description
Impact
Session tokens remain valid on the server after user logout, creating a security gap where:
- Compromised tokens (via XSS, network interception, or device theft) continue to work even after the user logs out
- The sessions stored in the database still expire, limiting the duration during which this could be exploited
- Users cannot fully invalidate their sessions when logging out from shared or potentially compromised devices
- by default, changing one's password does invalidate all other sessions, so changing your password as a security measure would have been effective
- May cause compliance issues with security frameworks requiring complete session
Patches
Upgrade to version 2.10.0. After upgrading, users must update their AuthController implementation to use the new clear_session/2 function with their OTP app name. You will be prompted to do so with a compile-time error.
If you do not have the setting require_token_presence_for_authentication? set to true in the tokens section, you will see a separate error:
** (Spark.Error.DslError) authentication -> session_identifier:
Must set `authentication.session_identifier` to either `:jti` or `:unsafe`.
...
In order to revoke sessions on log out when not storing tokens directly in the session, we must have some unique identifier with which to do so. You should prefer to enable require_token_presence_for_authentication? if possible, instead of setting this to :jti. Note that whatever you do here, if you did not previously have require_token_presence_for_authentication? set to true, setting it to true or setting authentication.session_identifier to :jti will log out all of your currently authenticated users.
Workarounds
You can manually revoke tokens in your logout/2 handler in your auth controller.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 💧Hex | ash_authentication_phoenix | all versions | 2.10.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for ash_authentication_phoenix. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update ash_authentication_phoenix to 2.10.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-f7gq-h8jv-h3cq is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-f7gq-h8jv-h3cq is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-f7gq-h8jv-h3cq. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-f7gq-h8jv-h3cq in your dependencies?
O3 detects GHSA-f7gq-h8jv-h3cq across Hex dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.