CVE-2025-64100 MEDIUM

CVE-2025-64100: CKAN Vulnerable to Session Cookie Fixation

Vendor Ckan
Product ckan
Weakness CWE-384 · Session fixation
Published October 29, 2025
Last update October 29, 2025

CVSS base score

6.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, session ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie-based session storage by default). The attacker would need to either set a cookie on the victim's browser or steal the victim's currently valid session. Session identifiers are now regenerated after each login. This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4

Key dates

02Disclosure timeline

October 29, 2025 CVE published
October 29, 2025 Record updated