CVE-2025-29928
Published: 28 March 2025
Summary
CVE-2025-29928 is a high-severity Session Fixation (CWE-384) vulnerability in Goauthentik Authentik. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 41.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires enforced termination of user sessions upon administrative deletion via web interface or API, directly preventing persistent access from unrevoked database-stored sessions.
Mandates timely flaw remediation through patching to fixed authentik versions, eliminating the session revocation failure vulnerability.
Ensures configuration settings avoid the vulnerable database-backed session storage by enforcing cache-based storage as recommended mitigation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability prevents session revocation on delete, directly enabling persistent use of compromised valid accounts and web session cookies despite revocation attempts.
NVD Description
authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke…
more
the session and the session holder would continue to have access to authentik. authentik 2025.2.3 and 2024.12.4 fix this issue. Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate.
Deeper analysisAI
CVE-2025-29928 affects authentik, an open-source identity provider, specifically in configurations using database-backed session storage, which is non-default. In versions prior to 2024.12.4 and 2025.2.3, attempts to delete sessions through the web interface or API fail to revoke them, allowing the session holder to retain unauthorized access to authentik. The vulnerability is classified under CWE-384 (Session Fixation) with a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to network accessibility, changed scope, and significant confidentiality and integrity impacts.
Attackers require no privileges (PR:N) but must overcome high complexity (AC:H) and rely on user interaction (UI:R), such as tricking an administrator or user into performing a session deletion action via the interface or API. Successful exploitation enables persistent access for a compromised session despite revocation efforts, potentially allowing unauthorized data access or modifications with high confidentiality and integrity consequences.
The authentik security advisory (GHSA-p6p8-f853-9g2p) and related commit (71294b7deb6eb5726a782de83b957eaf25fc4cf6) confirm fixes in versions 2024.12.4 and 2025.2.3. As a temporary mitigation, administrators should switch to cache-based session storage, though this invalidates all existing sessions and requires user re-authentication. Upgrading to a patched version is the permanent solution.
Details
- CWE(s)