Hexpm Password Reset Token Indefinite Validity Vulnerability Allows Account Takeover
Vulnerability
A vulnerability in the Hexpm package management system's password reset functionality allows for account takeover due to password reset tokens not expiring. Tokens generated through the 'Reset your password' process remain valid indefinitely, creating a risk if a user's email is exposed in a data breach. An attacker could use an old reset token to change the user's password without needing access to their email account. This issue affects Hexpm versions from 617e44c71f1dd9043870205f371d375c5c4d886d prior to bb0e42091995945deef10556f58d046a52eb7884.
Impact
The vulnerability allows for indefinite validity of password reset tokens, increasing the risk of unauthorized password resets and account takeovers, particularly for users with exposed email histories.
Remediation
The vulnerability has been patched in Hexpm version bb0e42091995945deef10556f58d046a52eb7884. Users who suspect their email has been compromised should reset their password and enable two-factor authentication.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.