GHSA-94JP-7776-QJ6Q

Vulnerability from github – Published: 2026-06-18 13:06 – Updated: 2026-06-18 13:06
VLAI
Summary
Hydro: Insufficient session expiration when recreating sessions
Details

Impact

Hydro contains an insufficient session expiration vulnerability in its session recreation logic. When a session is recreated, including during logout or other session renewal flows, Hydro creates a new session token but does not delete the previous server-side session token.

As a result, an old sid cookie may remain valid even after the legitimate user logs out or the session is recreated. An attacker who has obtained a victim's previous sid cookie can replay that cookie over HTTP or HTTPS and continue to access the affected Hydro instance as the victim.

The attacker does not need the victim's username or password. Exploitation requires possession of a previously valid stale sid cookie, but no user interaction is required at exploitation time.

Successful exploitation may allow account takeover within the affected Hydro instance. For a normal user account, this may allow disclosure of private data and unauthorized modification or deletion of data available to the victim.

Patches

The issue has been patched by deleting the old server-side session token before creating a new one during session recreation.

Patched in:

  • Pull request: https://github.com/hydro-dev/Hydro/pull/1173
  • Patch commit: https://github.com/hydro-dev/Hydro/commit/8450390fcce5f7dc3f11c43a14f1d76dbb949a0d
  • Merge commit: https://github.com/hydro-dev/Hydro/commit/8d76be8f0b83d911bf7671962b0467e9d4b5719a

Users should upgrade to a version containing this patch.

Workarounds

If upgrading immediately is not possible, administrators should reduce the risk by forcing all existing sessions to expire or by clearing the server-side session token store after applying a local patch.

Administrators should also review logs for suspicious use of stale sid cookies and rotate any exposed session cookies. However, these mitigations do not fully fix the vulnerability. The recommended remediation is to upgrade to a patched version.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "hydrooj"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.10.4"
            },
            {
              "fixed": "5.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55617"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T13:06:35Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nHydro contains an insufficient session expiration vulnerability in its session recreation logic. When a session is recreated, including during logout or other session renewal flows, Hydro creates a new session token but does not delete the previous server-side session token.\n\nAs a result, an old sid cookie may remain valid even after the legitimate user logs out or the session is recreated. An attacker who has obtained a victim\u0027s previous sid cookie can replay that cookie over HTTP or HTTPS and continue to access the affected Hydro instance as the victim.\n\nThe attacker does not need the victim\u0027s username or password. Exploitation requires possession of a previously valid stale sid cookie, but no user interaction is required at exploitation time.\n\nSuccessful exploitation may allow account takeover within the affected Hydro instance. For a normal user account, this may allow disclosure of private data and unauthorized modification or deletion of data available to the victim.\n\n### Patches\n\nThe issue has been patched by deleting the old server-side session token before creating a new one during session recreation.\n\nPatched in:\n\n- Pull request: https://github.com/hydro-dev/Hydro/pull/1173\n- Patch commit: https://github.com/hydro-dev/Hydro/commit/8450390fcce5f7dc3f11c43a14f1d76dbb949a0d\n- Merge commit: https://github.com/hydro-dev/Hydro/commit/8d76be8f0b83d911bf7671962b0467e9d4b5719a\n\nUsers should upgrade to a version containing this patch.\n\n### Workarounds\n\nIf upgrading immediately is not possible, administrators should reduce the risk by forcing all existing sessions to expire or by clearing the server-side session token store after applying a local patch.\n\nAdministrators should also review logs for suspicious use of stale sid cookies and rotate any exposed session cookies. However, these mitigations do not fully fix the vulnerability. The recommended remediation is to upgrade to a patched version.",
  "id": "GHSA-94jp-7776-qj6q",
  "modified": "2026-06-18T13:06:35Z",
  "published": "2026-06-18T13:06:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hydro-dev/Hydro/security/advisories/GHSA-94jp-7776-qj6q"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hydro-dev/Hydro/pull/1173"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hydro-dev/Hydro/commit/8450390fcce5f7dc3f11c43a14f1d76dbb949a0d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hydro-dev/Hydro/commit/8d76be8f0b83d911bf7671962b0467e9d4b5719a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hydro-dev/Hydro"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Hydro: Insufficient session expiration when recreating sessions"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…