CVE-2025-64100

Published: Oct 29, 2025

Modified: Oct 29, 2025

PUBLISHED

CVSS v3.1

6.1

MEDIUM

Description

CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, session ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie-based session storage by default). The attacker would need to either set a cookie on the victim's browser or steal the victim's currently valid session. Session identifiers are now regenerated after each login. This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4

Vendor	Product	Versions
ckan	ckan	affected `< 2.10.9` affected `>= 2.11.0, < 2.11.4`

Weaknesses (CWE)

CWE-384

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/ckan/ckan/security/advisories/GHSA-2hvh-cw5c-8q8q

x_refsource_CONFIRM

https://github.com/ckan/ckan/commit/c2fe437f88be850a6edf7a32470772428819fab5

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-64100

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References