Vulnerabilities

 1 via 2 paths

Dependencies

 36

Source

 GitHub

Commit

 78109b53

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity
new

Insufficient Session Expiration

  • Vulnerable module: @hotwired/turbo
  • Introduced through: @hotwired/turbo@7.3.0 and @hotwired/turbo-rails@7.3.0

Detailed paths

  • Introduced through: undefined@andrewfoster73/catalogue_cleanser#78109b53dfff7eca7a583eef2d79b5f208413b0a @hotwired/turbo@7.3.0
    Remediation: Upgrade to @hotwired/turbo@8.0.21.
  • Introduced through: undefined@andrewfoster73/catalogue_cleanser#78109b53dfff7eca7a583eef2d79b5f208413b0a @hotwired/turbo-rails@7.3.0 @hotwired/turbo@7.3.0
    Remediation: Upgrade to @hotwired/turbo-rails@8.0.0.

Overview

@hotwired/turbo is a The speed of a single-page web application without having to write any JavaScript

Affected versions of this package are vulnerable to Insufficient Session Expiration due to a race condition. An attacker can cause stale session cookies to be restored by delaying HTTP responses containing Set-Cookie headers, potentially reverting session state after it has been modified or invalidated. This is only exploitable if the application uses client-side cookie-based session storage for sessions.

Workaround

This vulnerability can be mitigated by using server-side session storage instead of client-side cookies, or by ensuring logout flows remove or disable Turbo Frame elements before invalidating sessions.

Remediation

Upgrade @hotwired/turbo to version 8.0.21 or higher.

References

Insufficient Session Expiration vulnerability report