File Browser JWT Token Vulnerability Allows Session Replay After Logout

A vulnerability in File Browser version 2.39.0 allows for session replay attacks by issuing long-lived JSON Web Tokens (JWT) that remain valid even after a user logs out. The authentication system does not invalidate these tokens upon logout, leaving captured tokens accessible for use until they naturally expire. This issue arises because the backend lacks a mechanism to track active sessions or invalidate tokens on logout, creating a potential security risk.

Impact

The vulnerability allows a valid JWT to remain active after a user logs out, enabling unauthorized access to authenticated endpoints. If a token is stolen, it can be used indefinitely until it expires, violating principles of secure authentication.

Reproduction

To reproduce this vulnerability, log into File Browser and capture the JWT token generated during the login process. After logging out, attempt to use the old JWT token to access an authenticated endpoint, such as the resources API. The request will be accepted, demonstrating that the token remains valid despite the logout.

Remediation

It is recommended to invalidate JWTs on logout by implementing a session store or token blacklist. Additionally, consider reducing the JWT expiration time where possible or using short-lived tokens in conjunction with refresh tokens.