Insufficient Session Expiration in heroiclabs/nakama


Reported on

Aug 23rd 2022


The Nakama Console session is not invalidated when the user is deleted.

Proof of Concept

Steps to reproduce:

1. Log in to the Nakama Console as admin and create a user
2. In a separate browser or private window log in to the account
3. In the admin session, delete the user
4. Observe that the session is not invalidated and the user can still perform all actions according to their role (for instance if the user has the administrator role they can still create/delete users)


An old session can be used by an attacker even after the user has been deleted in a different session. The session can be used until it expires or the attacker logs out.


Active sessions should be invalidated when the corresponding user is deleted.

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
We have contacted a member of the heroiclabs/nakama team and are waiting to hear back a year ago
heroiclabs/nakama maintainer has acknowledged this report a year ago
Andrei Mihu validated this vulnerability 10 months ago
vautia has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Andrei Mihu marked this as fixed in 3.16.0 with commit d1e894 10 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Feb 1st 2023
console_user.go#L120-L130 has been validated
Andrei Mihu published this vulnerability 10 months ago
to join this conversation