CVE-2025-64100
published 2025-10-29CVE-2025-64100: CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, session ids could be fixed by an…
PriorityP433medium6.1CVSS 3.1
AVNACHPRNUIRSCCHINAN
EPSS
0.27%
18.4th percentile
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, session ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie-based session storage by default). The attacker would need to either set a cookie on the victim's browser or steal the victim's currently valid session. Session identifiers are now regenerated after each login. This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ckan | ckan | < 2.10.9 | 2.10.9 |
| ckan | ckan | — | — |
| ckan | ckan | >= 2.10.0 < 2.10.9 | 2.10.9 |
| ckan | ckan | >= 2.11.0 < 2.11.4 | 2.11.4 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CKAN vulnerable to fixed session IDs
osv·2025-10-29
CVE-2025-64100 [MEDIUM] CKAN vulnerable to fixed session IDs
CKAN vulnerable to fixed session IDs
### Impact
Session ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie-based session storage by default). The attacker would need to either set a cookie on the victim's browser or steal the victim's currently valid session. Session identifiers are now regenerated after each login.
### Patches
This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4
### References
[https://en.wikipedia.org/wiki/Session_fixation](https://en.wikipedia.org/wiki/Session_fixation)
GHSA
CKAN vulnerable to fixed session IDs
ghsa·2025-10-29
CVE-2025-64100 [MEDIUM] CWE-384 CKAN vulnerable to fixed session IDs
CKAN vulnerable to fixed session IDs
### Impact
Session ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie-based session storage by default). The attacker would need to either set a cookie on the victim's browser or steal the victim's currently valid session. Session identifiers are now regenerated after each login.
### Patches
This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4
### References
[https://en.wikipedia.org/wiki/Session_fixation](https://en.wikipedia.org/wiki/Session_fixation)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-10-29
Published