Terminate existing sessions and send password change notification email after successful password reset to meet post-reset security requirements.

[zeropath-ai-dev]

Summary

• The Vulnerability Description:
  After a successful password update, existing user sessions are not terminated and no password change email notification is sent, which fails to meet security standards for post-reset actions and may leave user accounts at risk.

• This Fix:
  The patch now ensures that after a password reset, all related authenticated sessions are terminated and a password change notification email is sent to the user.

• The Cause of the Issue:
  The original code only updated the password in the database, but did not handle session invalidation or notify users about password changes, increasing the risk if an attacker compromises an account.

• The Patch Implementation:
  The fix adds terminateSessions for invalidating existing sessions and integrates sendPasswordChangeNotification for emailing users about password changes, both triggered immediately after a password update in resetPassword.ts.

Vulnerability Details

• Vulnerability Class: Natural Language Rule Violation
• Severity: 5.3
• Affected File: routes/resetPassword.ts
• Vulnerable Lines: 38-41

Code Snippets

diff --git a/lib/emailService.ts b/lib/emailService.ts
new file mode 100644
index 000000000..84eb3da7b
--- /dev/null
+++ b/lib/emailService.ts
@@ -0,0 +1,18 @@
+import nodemailer from 'nodemailer'
+import config from 'config'
+
+const transporter = nodemailer.createTransport(config.get('smtp'))
+
+export const sendPasswordChangeNotification = async (email: string): Promise<void> => {
+  try {
+    await transporter.sendMail({
+      from: 'no-reply@juice-shop.com',
+      to: email,
+      subject: 'Password Change Notification',
+      text: 'Your password was successfully changed. If you did not perform this action, please contact support immediately.'
+    })
+  } catch (error) {
+    console.error(`Failed to send password change notification to ${email}`, error)
+    throw error
+  }
+}
diff --git a/lib/insecurity.ts b/lib/insecurity.ts
index 0e4e3d993..f8372dab5 100644
--- a/lib/insecurity.ts
+++ b/lib/insecurity.ts
@@ -199,3 +199,11 @@ export const updateAuthenticatedUsers = () => (req: Request, res: Response, next
   }
   next()
 }
+
+export const terminateSessions = (userId: string) => {
+  const token = authenticatedUsers.idMap[userId]
+  if (token) {
+    delete authenticatedUsers.tokenMap[token]
+    delete authenticatedUsers.idMap[userId]
+  }
+}
diff --git a/routes/resetPassword.ts b/routes/resetPassword.ts
index 235be1b45..7d57a5903 100644
--- a/routes/resetPassword.ts
+++ b/routes/resetPassword.ts
@@ -13,6 +13,7 @@ import { challenges } from '../data/datacache'
 import challengeUtils = require('../lib/challengeUtils')
 const users = require('../data/datacache').users
 const security = require('../lib/insecurity')
+const emailService = require('../lib/emailService')
 
 module.exports = function resetPassword () {
   return ({ body, connection }: Request, res: Response, next: NextFunction) => {
@@ -37,6 +38,11 @@ module.exports = function resetPassword () {
           UserModel.findByPk(data.UserId).then((user: UserModel | null) => {
             user?.update({ password: newPassword }).then((user: UserModel) => {
               verifySecurityAnswerChallenges(user, answer)
+              security.terminateSessions(user.id)
+              emailService.sendPasswordChangeNotification(user.email)
+                .catch((err: unknown) => {
+                  console.error('Password change notification error for ' + user.email, err)
+                })
               res.json({ user })
             }).catch((error: unknown) => {
               next(error)

How to Modify the Patch

You can modify this patch by using one of the two methods outlined below. We recommend using the @zeropath-ai-dev bot for updating the code. If you encounter any bugs or issues with the patch, please report them here.

Ask @zeropath-ai-dev!

To request modifications, please post a comment beginning with @zeropath-ai-dev and specify the changes required.

@zeropath-ai-dev will then implement the requested adjustments and commit them to the specified branch in this pull request. Our bot is capable of managing changes across multiple files and various development-related requests.

Manually Modify the Files

# Checkout created branch:
git checkout zvuln_fix_natural_language_rule_violation_1755145801668800

# if vscode is installed run (or use your favorite editor / IDE):
code routes/resetPassword.ts

# Add, commit, and push changes:
git add -A
git commit -m "Update generated patch with x, y, and z changes."
git push zvuln_fix_natural_language_rule_violation_1755145801668800