GHSA-7hgr-xvrr-xpw3: nhost has Session Persistence After Password Change
When a user changes their password, either through the authenticated password change endpoint or a password reset ticket, the ChangePassword workflow correctly hashes and persists the new password via UpdateUserChangePassword. However, it does not revoke existing sessions. The auth.refresh_tokens and auth.oauth2_refresh_tokens tables are left untouched, meaning all previously issued refresh tokens remain valid and can continue generating new access tokens indefinitely.
This vulnerability affects all password change paths (handled in change_user_password.go), since they share the same underlying workflow:
- Authenticated password change via the Nhost dashboard or client SDK
- Ticket-based password reset (magic links / recovery flows)
- OAuth2/OIDC sessions managed via
auth.oauth2_refresh_tokens
References
Code Behaviors & Features
Detect and mitigate GHSA-7hgr-xvrr-xpw3 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →