CISA Thorium does not properly invalidate previously used tokens when resetting passwords. An attacker that possesses a previously used token could still log in after a password reset. Fixed in 1.1.1.

Related CVEs

CVE-2025-35433

Key Information

GHSA ID

GHSA-mxh5-f83r-vf79

Published

September 17, 2025 6:31 PM

Last Modified

September 17, 2025 6:31 PM

CVSS Score

2.5 /10

Primary Ecosystem

Unknown

Primary Package

Unknown

GitHub Reviewed

✗ No

Dataset

Last updated: September 18, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.