@hotwired/turbo

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

### Summary A race condition in Turbo Frames allows delayed HTTP responses to restore stale session cookies after session-modifying operations. ### Details Browsers automatically process Set-Cookie headers from HTTP responses. When a Turbo Frame request is in-flight during a session-modifying action (such as logout), the delayed response may include a Set-Cookie header reflecting the session state at request time. This can result in stale session cookies being restored after the session was intentionally modified or invalidated. This condition can occur naturally on slow networks. An active network attacker capable of delaying responses could potentially exploit this to restore previous session state. ### Impact Applications using Turbo Frames with cookie-based session storage may experience: - Session state reversion after logout - Unintended restoration of previous authentication state The impact is limited to applications using client-side cookie storage for sessions. Applications using server-side session stores (Redis, database, etc.) are not meaningfully affected, as the server-side session state remains authoritative. ### Patches Upgrade to Turbo 8.0.21 or later. The fix cancels in-flight Turbo Frame requests when: - The frame element is disconnected from the DOM - The frame's disabled attribute is set - The frame's src attribute is cleared ### Workarounds - Use server-side session storage instead of a cookie store like Rails's cookie store - Ensure logout flows remove or disable Turbo Frame elements before invalidating sessions ### References - https://github.com/hotwired/turbo/pull/1399

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

### Summary A race condition in Turbo Frames allows delayed HTTP responses to restore stale session cookies after session-modifying operations. ### Details Browsers automatically process Set-Cookie headers from HTTP responses. When a Turbo Frame request is in-flight during a session-modifying action (such as logout), the delayed response may include a Set-Cookie header reflecting the session state at request time. This can result in stale session cookies being restored after the session was intentionally modified or invalidated. This condition can occur naturally on slow networks. An active network attacker capable of delaying responses could potentially exploit this to restore previous session state. ### Impact Applications using Turbo Frames with cookie-based session storage may experience: - Session state reversion after logout - Unintended restoration of previous authentication state The impact is limited to applications using client-side cookie storage for sessions. Applications using server-side session stores (Redis, database, etc.) are not meaningfully affected, as the server-side session state remains authoritative. ### Patches Upgrade to Turbo 8.0.21 or later. The fix cancels in-flight Turbo Frame requests when: - The frame element is disconnected from the DOM - The frame's disabled attribute is set - The frame's src attribute is cleared ### Workarounds - Use server-side session storage instead of a cookie store like Rails's cookie store - Ensure logout flows remove or disable Turbo Frame elements before invalidating sessions ### References - https://github.com/hotwired/turbo/pull/1399

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

### Summary A race condition in Turbo Frames allows delayed HTTP responses to restore stale session cookies after session-modifying operations. ### Details Browsers automatically process Set-Cookie headers from HTTP responses. When a Turbo Frame request is in-flight during a session-modifying action (such as logout), the delayed response may include a Set-Cookie header reflecting the session state at request time. This can result in stale session cookies being restored after the session was intentionally modified or invalidated. This condition can occur naturally on slow networks. An active network attacker capable of delaying responses could potentially exploit this to restore previous session state. ### Impact Applications using Turbo Frames with cookie-based session storage may experience: - Session state reversion after logout - Unintended restoration of previous authentication state The impact is limited to applications using client-side cookie storage for sessions. Applications using server-side session stores (Redis, database, etc.) are not meaningfully affected, as the server-side session state remains authoritative. ### Patches Upgrade to Turbo 8.0.21 or later. The fix cancels in-flight Turbo Frame requests when: - The frame element is disconnected from the DOM - The frame's disabled attribute is set - The frame's src attribute is cleared ### Workarounds - Use server-side session storage instead of a cookie store like Rails's cookie store - Ensure logout flows remove or disable Turbo Frame elements before invalidating sessions ### References - https://github.com/hotwired/turbo/pull/1399

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

### Summary A race condition in Turbo Frames allows delayed HTTP responses to restore stale session cookies after session-modifying operations. ### Details Browsers automatically process Set-Cookie headers from HTTP responses. When a Turbo Frame request is in-flight during a session-modifying action (such as logout), the delayed response may include a Set-Cookie header reflecting the session state at request time. This can result in stale session cookies being restored after the session was intentionally modified or invalidated. This condition can occur naturally on slow networks. An active network attacker capable of delaying responses could potentially exploit this to restore previous session state. ### Impact Applications using Turbo Frames with cookie-based session storage may experience: - Session state reversion after logout - Unintended restoration of previous authentication state The impact is limited to applications using client-side cookie storage for sessions. Applications using server-side session stores (Redis, database, etc.) are not meaningfully affected, as the server-side session state remains authoritative. ### Patches Upgrade to Turbo 8.0.21 or later. The fix cancels in-flight Turbo Frame requests when: - The frame element is disconnected from the DOM - The frame's disabled attribute is set - The frame's src attribute is cleared ### Workarounds - Use server-side session storage instead of a cookie store like Rails's cookie store - Ensure logout flows remove or disable Turbo Frame elements before invalidating sessions ### References - https://github.com/hotwired/turbo/pull/1399

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

### Summary A race condition in Turbo Frames allows delayed HTTP responses to restore stale session cookies after session-modifying operations. ### Details Browsers automatically process Set-Cookie headers from HTTP responses. When a Turbo Frame request is in-flight during a session-modifying action (such as logout), the delayed response may include a Set-Cookie header reflecting the session state at request time. This can result in stale session cookies being restored after the session was intentionally modified or invalidated. This condition can occur naturally on slow networks. An active network attacker capable of delaying responses could potentially exploit this to restore previous session state. ### Impact Applications using Turbo Frames with cookie-based session storage may experience: - Session state reversion after logout - Unintended restoration of previous authentication state The impact is limited to applications using client-side cookie storage for sessions. Applications using server-side session stores (Redis, database, etc.) are not meaningfully affected, as the server-side session state remains authoritative. ### Patches Upgrade to Turbo 8.0.21 or later. The fix cancels in-flight Turbo Frame requests when: - The frame element is disconnected from the DOM - The frame's disabled attribute is set - The frame's src attribute is cleared ### Workarounds - Use server-side session storage instead of a cookie store like Rails's cookie store - Ensure logout flows remove or disable Turbo Frame elements before invalidating sessions ### References - https://github.com/hotwired/turbo/pull/1399