CVE-2025-64100 Overview
CVE-2025-64100 is a session fixation vulnerability [CWE-384] affecting CKAN, an open-source data management system (DMS) used to power data hubs and data portals. The flaw exists in CKAN releases prior to 2.10.9 and 2.11.4 when the site is configured with server-side session storage. CKAN uses cookie-based session storage by default, so only deployments that have opted into server-side sessions are affected. An attacker who can either set a cookie on the victim's browser or steal a currently valid session identifier can retain access after the victim authenticates. The maintainers addressed the issue by regenerating session identifiers after each successful login.
Critical Impact
Attackers can hijack authenticated CKAN user sessions by fixing a session identifier before the victim logs in, gaining access to the victim's account and data.
Affected Products
- CKAN versions prior to 2.10.9
- CKAN versions prior to 2.11.4 (2.11.x branch)
- CKAN deployments configured with server-side session storage
Discovery Timeline
- 2025-10-29 - CVE-2025-64100 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-64100
Vulnerability Analysis
CKAN handles user authentication through Flask session cookies. Prior to the patched releases, the application did not rotate the session identifier when a user transitioned from an anonymous state to an authenticated state. An attacker who could plant a known session ID in the victim's browser, or who had otherwise obtained a valid pre-authentication session token, would continue to hold a valid session after the victim logged in. This class of flaw is tracked under [CWE-384: Session Fixation]. The impact is limited to deployments that switch CKAN from its default cookie-based session storage to server-side session storage, where the session identifier is a server-tracked reference rather than a self-contained signed cookie.
Root Cause
The root cause is missing session identifier regeneration on privilege boundary transitions, specifically at login. Web applications that bind sensitive state to a session ID must invalidate the pre-authentication ID and issue a fresh one after successful authentication. CKAN's user views did not perform this rotation, allowing an existing identifier to persist across the authentication event.
Attack Vector
Exploitation requires user interaction and a pre-positioning step. The attacker must either inject a chosen session cookie into the victim's browser (for example through a sibling-domain cookie write, a network-level cookie injection, or an unrelated XSS) or capture a valid pre-authentication session identifier. Once the victim logs in with that identifier still active, the attacker's copy of the identifier is elevated to an authenticated session. High attack complexity and the need for user interaction limit practical exploitation.
import logging
from typing import Any, Optional, Union
-from flask import Blueprint
+from flask import Blueprint, current_app
from flask.views import MethodView
from ckan.common import asbool
Source: GitHub Commit c2fe437
The patch imports current_app in ckan/views/user.py to enable session regeneration through the Flask application context during the login flow.
Detection Methods for CVE-2025-64100
Indicators of Compromise
- Authenticated CKAN activity from a session ID that was observed in requests before the associated user logged in.
- Set-Cookie responses containing a CKAN session identifier that matches a cookie value already present on inbound requests.
- Concurrent use of the same CKAN session identifier from geographically or network-distinct client IP addresses.
Detection Strategies
- Review CKAN and reverse-proxy access logs for session IDs that persist across the /user/login endpoint without changing.
- Correlate authentication events with prior anonymous requests carrying the same session cookie value.
- Inspect server-side session stores (Redis, database, filesystem) for entries that transition from anonymous to authenticated state without a new key being generated.
Monitoring Recommendations
- Enable audit logging on CKAN's authentication views and forward events to a centralized log platform.
- Alert on multiple distinct user agents or source IPs using the same session identifier within a short time window.
- Monitor deployments that override CKAN defaults to use server-side session backends, since only those are exposed to CVE-2025-64100.
How to Mitigate CVE-2025-64100
Immediate Actions Required
- Upgrade CKAN to 2.10.9 or 2.11.4 (or later) as the primary remediation.
- Invalidate all existing CKAN sessions in the server-side store after upgrading to force re-authentication.
- Audit deployment configuration to confirm whether server-side session storage is in use and whether the site is exposed.
Patch Information
The fix is included in CKAN 2.10.9 and 2.11.4. The upstream change is documented in the CKAN Security Advisory GHSA-2hvh-cw5c-8q8q and the corresponding GitHub commit c2fe437, which introduces session identifier regeneration after successful login in ckan/views/user.py.
Workarounds
- Revert to CKAN's default cookie-based session storage until the upgrade can be applied, since the vulnerability requires server-side session storage.
- Enforce the Secure, HttpOnly, and SameSite=Lax (or Strict) attributes on session cookies to reduce cookie injection paths.
- Terminate active sessions on password change and periodically rotate session backends to limit the window for fixation.
# Upgrade CKAN in a virtualenv-based deployment
pip install --upgrade 'ckan==2.11.4'
# or, for the 2.10.x branch
pip install --upgrade 'ckan==2.10.9'
# Restart the CKAN application server after upgrade
sudo supervisorctl restart ckan-uwsgi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

