Craft CMS TOCTOU Race Condition Vulnerability in Token Validation Service Allowing Excess Token Usage

A Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerability has been identified in Craft CMS versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22. The issue arises in the token validation service for tokens that have a limited usage. The vulnerability allows an attacker to exploit the `getTokenRoute()` method, which handles token usage counts and updates the database in non-atomic operations. By sending concurrent requests, an attacker can misuse a single-use impersonation token multiple times before the database can register the change. To exploit this vulnerability, an attacker must first obtain a valid impersonation token from a user account with higher permissions than their own, and then bypass any existing rate limits.

Impact

Exploitation of this vulnerability could lead to unauthorized repeated use of impersonation tokens, potentially allowing for privilege escalation by misusing tokens from accounts with greater permissions.

Reproduction

To reproduce this vulnerability, first obtain a valid user account impersonation URL that includes a non-expired token, preferably from an account with higher permissions than the current user. Once the token is acquired, send multiple concurrent requests that use the token. This can be done using a tool that automates the sending of simultaneous requests, such as a custom script or a web application testing tool. Ensure that any rate-limiting measures are bypassed, if applicable.

Remediation

Users can update to Craft CMS versions 4.16.19 or 5.8.23, where this vulnerability has been patched.