CVE-2025-25202 - Ash Authentication Magic Link Token Revocation Flaw Explained

Ash Authentication is a popular authentication framework built for Elixir applications. It streamlines user sign-up, login, token management, and more, letting Elixir developers get up and running quickly. However, a recent security flaw, now tracked as CVE-2025-25202, was discovered in how certain applications handle token revocation—especially when using the magic link strategy or custom token revocation logic.

In this post, we'll break down what this vulnerability means, how it can be exploited, who is affected, how it got patched, and what steps you should take to secure your app.

What is CVE-2025-25202?

In simple terms, this vulnerability affects Ash Authentication apps bootstrapped by the Igniter installer (since v4.1.) that:

Are manually revoking tokens

For these apps, revoked tokens can still be considered valid when verifying them. In practice, this means that if a magic link token was revoked (say, after being used or via admin action), it could still be used to authenticate—even though it should have been dead.

The good news:

What Should Happen with Revocation

If the token is used or manually revoked, future attempts should reject it ("token is revoked").

The Problem

If your app has the Igniter installer and magic link strategy, a generated :revoked? action in the token resource overrides Ash Authentication’s internal logic.
The bug: This generated function can mistakenly allow revoked tokens to verify as valid.

Exploit scenario:
An attacker (or just an unlucky user) obtains a magic link token—maybe through phishing, maybe by reusing an old email. If the token is revoked, but within its 10min window, Ash Authentication may accept it if this buggy code is present.

Example Code Snippet

Consider the following (hypothetical, simplified) Elixir snippet auto-generated for :revoked? in the vulnerable versions:

# In lib/my_app/accounts/token.ex

def revoked?(token, repo) do
  # Bug: Doesn't check Ash's internal revocation list
  token.revoked
end

This code just checks the revoked field, not accounting for all the ways tokens could be invalid.

The correct, internal logic (simplified)

def revoked?(token, repo) do
  AshAuthentication.Token.revoked?(token)
end

If you delete the generated :revoked? generic action in your token resource, the library’s internal (safer) function will be used.

Exploitation Example

Suppose an admin revokes a user’s magic link token. Due to the bug, the following code still sees it as "valid":

if MyApp.Accounts.Token.revoked?(token, Repo) do
  {:error, :token_revoked}
else
  {:ok, :authentication_granted}
end

But since revoked? is bugged, it doesn’t enforce the revocation properly!

Compile-time warnings are shown if you’re at risk, with upgrade instructions.

To Patch Automatically:

After updating your mix.exs to require "ash_authentication", "~> 4.4.9", run

mix igniter.upgrade ash_authentication

This will update your files with the correct logic automatically.

Manual workaround:

Find and delete the generated :revoked? generic action in your token resource, like

# lib/my_app/accounts/token.ex

# Delete or comment out the entire def revoked? block!

Or, manually patch it as per the instructions in the security advisory.

References and More Information

- Official Security Advisory
- Changelog for v4.4.9
- Ash Authentication Docs
- Mix Igniter Installer

If you can't upgrade, **delete the buggy :revoked? action** OR copy the latest safe logic.

The risk is low due to token expiry, but all authentication code should get quick attention. Don't delay!

Have more questions about CVE-2025-25202? Check out the advisory on GitHub or ask in the Elixir community forums.

Timeline

Published on: 02/11/2025 19:15:18 UTC