CVE-2025-29928: Persistent Session Access in authentik Prior to Versions 2024.12.4 and 2025.2.3

In authentik, an open-source identity provider, there exists a vulnerability (CVE-2025-29928) prior to versions 2024.12.4 and 2025.2.3 that allows a session holder to maintain persistent access even after their session has been deleted from the database. This issue arises when authentik is configured to use the database for session storage, which is not a default setting. The issue was resolved in authentik 2025.2.3 and 2024.12.4. It is recommended to switch to cache-based session storage until users can upgrade their authentik instance, even though this will result in the deletion of all existing sessions and require users to re-authenticate.

Original References

- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-29928
- authentik Release Notes: https://goauthentik.io/docs/releases/2024.12/
- authentik GitHub Repository: https://github.com/goauthentik/authentik

Exploit Details

The vulnerability lies in how sessions are deleted via the Web Interface or the API when authentik is configured to use the database for session storage. When a session is deleted, the session holder continues to have access to authentik because the session is not revoked.

Code Snippet

# In vulnerable versions, when deleting a session via the Web Interface or API, 
# the session is not revoked, leaving the session holder with continued access:

def delete_session(session_id):
    # The session is deleted from the database, but not revoked
    session = Session.objects.get(id=session_id)
    session.delete()

In the fixed versions 2024.12.4 and 2025.2.3, sessions are properly revoked when deleted, preventing the session holder from maintaining access to authentik:

# In fixed versions, when a session is deleted, the session is properly revoked:

def delete_session(session_id):
    session = Session.objects.get(id=session_id)
    # The session is both revoked and deleted to prevent continued access
    session.flush()
    session.delete()

Mitigation

For those who cannot immediately upgrade to the fixed versions of authentik, it is recommended to switch to cache-based session storage. This will delete all existing sessions and require users to re-authenticate. To switch to cache-based session storage, update the AUTHENTIK_SESSION_ENGINE setting in the configuration file:

# Update the setting in the authentik configuration file
AUTHENTIK_SESSION_ENGINE = "django.contrib.sessions.backends.cache"

Upon implementing this change, sessions will be properly managed, preventing unauthorized access.

Conclusion

If not addressed, this vulnerability could allow unauthorized parties to gain persistent access to authentik services, potentially leading to security breaches. Therefore, it is crucial for users to either update their authentik instance to versions 2024.12.4 or 2025.2.3, or switch to cache-based session storage until an upgrade is possible.

Timeline

Published on: 03/28/2025 15:15:49 UTC
Last modified on: 03/28/2025 18:11:40 UTC