Hotwired Turbo Race Condition Vulnerability in Turbo Frames Allowing Session Cookie Restoration

A race condition vulnerability has been identified in Hotwired Turbo versions prior to 8.0.x, specifically within the turbo-frame element handler. This vulnerability causes logout operations to fail by allowing delayed frame responses to reapply session cookies after a logout has been processed. Remote attackers could exploit this by introducing selective network delays, while physically proximate attackers could take advantage of the vulnerability on shared computers.

Impact

Exploitation of this vulnerability can lead to unintended session state reversion, causing users to be logged back in after logging out, without their knowledge.

Reproduction

The vulnerability can be reproduced by initiating a logout process while a turbo-frame request is still being processed. This can be done by clicking a logout button and then delaying the response of the turbo-frame request, which will cause the stale session cookie to be reapplied after logout.

Remediation

Users can upgrade to Turbo version 8.0.21 or later, where this vulnerability has been patched. For applications using cookie-based session storage, it is recommended to switch to server-side session storage or ensure that Turbo Frame elements are removed or disabled before logging out.