GHSA-94JP-7776-QJ6Q
Vulnerability from github – Published: 2026-06-18 13:06 – Updated: 2026-06-18 13:06Impact
Hydro contains an insufficient session expiration vulnerability in its session recreation logic. When a session is recreated, including during logout or other session renewal flows, Hydro creates a new session token but does not delete the previous server-side session token.
As a result, an old sid cookie may remain valid even after the legitimate user logs out or the session is recreated. An attacker who has obtained a victim's previous sid cookie can replay that cookie over HTTP or HTTPS and continue to access the affected Hydro instance as the victim.
The attacker does not need the victim's username or password. Exploitation requires possession of a previously valid stale sid cookie, but no user interaction is required at exploitation time.
Successful exploitation may allow account takeover within the affected Hydro instance. For a normal user account, this may allow disclosure of private data and unauthorized modification or deletion of data available to the victim.
Patches
The issue has been patched by deleting the old server-side session token before creating a new one during session recreation.
Patched in:
- Pull request: https://github.com/hydro-dev/Hydro/pull/1173
- Patch commit: https://github.com/hydro-dev/Hydro/commit/8450390fcce5f7dc3f11c43a14f1d76dbb949a0d
- Merge commit: https://github.com/hydro-dev/Hydro/commit/8d76be8f0b83d911bf7671962b0467e9d4b5719a
Users should upgrade to a version containing this patch.
Workarounds
If upgrading immediately is not possible, administrators should reduce the risk by forcing all existing sessions to expire or by clearing the server-side session token store after applying a local patch.
Administrators should also review logs for suspicious use of stale sid cookies and rotate any exposed session cookies. However, these mitigations do not fully fix the vulnerability. The recommended remediation is to upgrade to a patched version.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.0.1"
},
"package": {
"ecosystem": "npm",
"name": "hydrooj"
},
"ranges": [
{
"events": [
{
"introduced": "4.10.4"
},
{
"fixed": "5.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55617"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T13:06:35Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nHydro contains an insufficient session expiration vulnerability in its session recreation logic. When a session is recreated, including during logout or other session renewal flows, Hydro creates a new session token but does not delete the previous server-side session token.\n\nAs a result, an old sid cookie may remain valid even after the legitimate user logs out or the session is recreated. An attacker who has obtained a victim\u0027s previous sid cookie can replay that cookie over HTTP or HTTPS and continue to access the affected Hydro instance as the victim.\n\nThe attacker does not need the victim\u0027s username or password. Exploitation requires possession of a previously valid stale sid cookie, but no user interaction is required at exploitation time.\n\nSuccessful exploitation may allow account takeover within the affected Hydro instance. For a normal user account, this may allow disclosure of private data and unauthorized modification or deletion of data available to the victim.\n\n### Patches\n\nThe issue has been patched by deleting the old server-side session token before creating a new one during session recreation.\n\nPatched in:\n\n- Pull request: https://github.com/hydro-dev/Hydro/pull/1173\n- Patch commit: https://github.com/hydro-dev/Hydro/commit/8450390fcce5f7dc3f11c43a14f1d76dbb949a0d\n- Merge commit: https://github.com/hydro-dev/Hydro/commit/8d76be8f0b83d911bf7671962b0467e9d4b5719a\n\nUsers should upgrade to a version containing this patch.\n\n### Workarounds\n\nIf upgrading immediately is not possible, administrators should reduce the risk by forcing all existing sessions to expire or by clearing the server-side session token store after applying a local patch.\n\nAdministrators should also review logs for suspicious use of stale sid cookies and rotate any exposed session cookies. However, these mitigations do not fully fix the vulnerability. The recommended remediation is to upgrade to a patched version.",
"id": "GHSA-94jp-7776-qj6q",
"modified": "2026-06-18T13:06:35Z",
"published": "2026-06-18T13:06:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hydro-dev/Hydro/security/advisories/GHSA-94jp-7776-qj6q"
},
{
"type": "WEB",
"url": "https://github.com/hydro-dev/Hydro/pull/1173"
},
{
"type": "WEB",
"url": "https://github.com/hydro-dev/Hydro/commit/8450390fcce5f7dc3f11c43a14f1d76dbb949a0d"
},
{
"type": "WEB",
"url": "https://github.com/hydro-dev/Hydro/commit/8d76be8f0b83d911bf7671962b0467e9d4b5719a"
},
{
"type": "PACKAGE",
"url": "https://github.com/hydro-dev/Hydro"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Hydro: Insufficient session expiration when recreating sessions"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.