CVE-2021-25985 is a high-severity vulnerability affecting FactorJS's Factor product versions 1.0.4 through 1.8.30. The core issue is insufficient session expiration management (CWE-613). Specifically, when a user logs out, the application fails to properly invalidate the user's session tokens. Moreover, user session data is stored in the browser's local storage, which inherently lacks an expiration mechanism. This combination allows an attacker who can execute cross-site scripting (XSS) attacks to steal session cookies or tokens from local storage and reuse them to hijack user accounts. The vulnerability impacts confidentiality, integrity, and availability because an attacker can gain unauthorized access (confidentiality), perform actions as the victim (integrity), and potentially disrupt service (availability). The CVSS 3.1 score of 7.8 reflects a high severity, with an attack vector limited to local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). No known exploits have been reported in the wild, and no official patches are linked, indicating that mitigation may rely on configuration changes or updates from the vendor. The vulnerability arises from poor session management practices and unsafe storage of session tokens in local storage, which is accessible via JavaScript and thus vulnerable to XSS attacks. This makes it critical for applications using FactorJS Factor to review their session handling and storage mechanisms to prevent session hijacking and account takeover risks.

For European organizations using FactorJS Factor, this vulnerability poses a significant risk of account takeover through session hijacking. Attackers exploiting this flaw can access sensitive user data, manipulate application functions, and potentially disrupt business operations. Sectors such as finance, healthcare, government, and critical infrastructure that rely on FactorJS Factor for web applications or headless CMS capabilities are particularly at risk. The vulnerability undermines user trust and may lead to regulatory non-compliance, especially under GDPR, due to unauthorized access and potential data breaches. The local storage of session tokens increases the attack surface, especially if combined with other vulnerabilities like XSS. Given the high confidentiality and integrity impact, organizations could face data leakage, fraud, and service disruption. The requirement for user interaction (e.g., clicking a malicious link) means phishing or social engineering could be used to facilitate exploitation. The absence of known exploits in the wild suggests a window for proactive mitigation before widespread attacks occur.

Immediately update FactorJS Factor to the latest version once the vendor releases a patch addressing this vulnerability. Implement server-side session invalidation upon logout to ensure tokens are revoked and cannot be reused. Avoid storing session tokens or sensitive authentication data in browser local storage; use secure, HttpOnly cookies with appropriate SameSite attributes instead. Conduct thorough input validation and output encoding to prevent XSS vulnerabilities that could be leveraged to steal session tokens. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce XSS attack vectors. Educate users about phishing and social engineering risks to reduce the likelihood of user interaction leading to exploitation. Regularly audit and monitor web application logs for suspicious activities indicative of session hijacking attempts. Use multi-factor authentication (MFA) to add an additional layer of security, reducing the impact of stolen session tokens. Deploy web application firewalls (WAF) configured to detect and block common XSS attack patterns targeting session tokens. Review and enhance session management policies, including setting appropriate session timeouts and secure cookie flags.