CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
874 vulnerabilities reference this CWE, most recent first.
GHSA-QC92-5V9V-HH5W
Vulnerability from github – Published: 2026-02-27 00:31 – Updated: 2026-03-05 21:30The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
{
"affected": [],
"aliases": [
"CVE-2026-25711"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-27T00:16:57Z",
"severity": "HIGH"
},
"details": "The WebSocket backend uses charging station identifiers to uniquely \nassociate sessions but allows multiple endpoints to connect using the \nsame session identifier. This implementation results in predictable \nsession identifiers and enables session hijacking or shadowing, where \nthe most recent connection displaces the legitimate charging station and\n receives backend commands intended for that station. This vulnerability\n may allow unauthorized users to authenticate as other users or enable a\n malicious actor to cause a denial-of-service condition by overwhelming \nthe backend with valid session requests.",
"id": "GHSA-qc92-5v9v-hh5w",
"modified": "2026-03-05T21:30:27Z",
"published": "2026-02-27T00:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25711"
},
{
"type": "WEB",
"url": "https://chargemap.com/en-us/support"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-05.json"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QHMC-3MVR-F2J4
Vulnerability from github – Published: 2025-12-15 15:30 – Updated: 2026-06-05 14:34An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "django-allauth"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "65.13.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-65430"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-16T19:33:33Z",
"nvd_published_at": "2025-12-15T14:15:57Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected.",
"id": "GHSA-qhmc-3mvr-f2j4",
"modified": "2026-06-05T14:34:45Z",
"published": "2025-12-15T15:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65430"
},
{
"type": "WEB",
"url": "https://github.com/pennersr/django-allauth/commit/39f4a4ce9c891795b00914ca5ec32de72d5369c0"
},
{
"type": "WEB",
"url": "https://github.com/pennersr/django-allauth/commit/c54edf947c5a1c8c4ff3cddb75c86000ecb2507d"
},
{
"type": "WEB",
"url": "https://allauth.org/news/2025/10/django-allauth-65.13.0-released"
},
{
"type": "PACKAGE",
"url": "https://codeberg.org/allauth/django-allauth"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-allauth/PYSEC-2025-110.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "django-allauth does not reject access tokens for inactive users"
}
GHSA-QPPM-G56G-FPVP
Vulnerability from github – Published: 2026-01-20 18:58 – Updated: 2026-01-21 21:11Summary
A race condition in Turbo Frames allows delayed HTTP responses to restore stale session cookies after session-modifying operations.
Details
Browsers automatically process Set-Cookie headers from HTTP responses. When a Turbo Frame request is in-flight during a session-modifying action (such as logout), the delayed response may include a Set-Cookie header reflecting the session state at request time. This can result in stale session cookies being restored after the session was intentionally modified or invalidated.
This condition can occur naturally on slow networks. An active network attacker capable of delaying responses could potentially exploit this to restore previous session state.
### Impact Applications using Turbo Frames with cookie-based session storage may experience: - Session state reversion after logout - Unintended restoration of previous authentication state
The impact is limited to applications using client-side cookie storage for sessions. Applications using server-side session stores (Redis, database, etc.) are not meaningfully affected, as the server-side session state remains authoritative.
Patches
Upgrade to Turbo 8.0.21 or later. The fix cancels in-flight Turbo Frame requests when: - The frame element is disconnected from the DOM - The frame's disabled attribute is set - The frame's src attribute is cleared
Workarounds
- Use server-side session storage instead of a cookie store like Rails's cookie store
- Ensure logout flows remove or disable Turbo Frame elements before invalidating sessions
References
- https://github.com/hotwired/turbo/pull/1399
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.20"
},
"package": {
"ecosystem": "npm",
"name": "@hotwired/turbo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66803"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-367",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-20T18:58:15Z",
"nvd_published_at": "2026-01-20T19:15:49Z",
"severity": "LOW"
},
"details": "### Summary\nA race condition in Turbo Frames allows delayed HTTP responses to restore stale session cookies after session-modifying operations.\n\n### Details\nBrowsers automatically process Set-Cookie headers from HTTP responses. When a Turbo Frame request is in-flight during a session-modifying action (such as logout), the delayed response may include a Set-Cookie header reflecting the session state at request time. This can result in stale session cookies being restored after the session was intentionally modified or invalidated.\n\nThis condition can occur naturally on slow networks. An active network attacker capable of delaying responses could potentially exploit this to restore previous session state.\n\n ### Impact\n Applications using Turbo Frames with cookie-based session storage may experience:\n - Session state reversion after logout\n - Unintended restoration of previous authentication state\n\nThe impact is limited to applications using client-side cookie storage for sessions. Applications using server-side session stores (Redis, database, etc.) are not meaningfully affected, as the server-side session state remains authoritative.\n\n### Patches\n Upgrade to Turbo 8.0.21 or later. The fix cancels in-flight Turbo Frame requests when:\n - The frame element is disconnected from the DOM\n - The frame\u0027s disabled attribute is set\n - The frame\u0027s src attribute is cleared\n\n### Workarounds\n - Use server-side session storage instead of a cookie store like Rails\u0027s cookie store\n - Ensure logout flows remove or disable Turbo Frame elements before invalidating sessions\n\n### References\n - https://github.com/hotwired/turbo/pull/1399",
"id": "GHSA-qppm-g56g-fpvp",
"modified": "2026-01-21T21:11:06Z",
"published": "2026-01-20T18:58:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hotwired/turbo/security/advisories/GHSA-qppm-g56g-fpvp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66803"
},
{
"type": "WEB",
"url": "https://github.com/hotwired/turbo/pull/1399"
},
{
"type": "WEB",
"url": "https://github.com/hotwired/turbo/commit/899df356e9f4b3303cca217cd14b3f846edda10d"
},
{
"type": "PACKAGE",
"url": "https://github.com/hotwired/turbo"
},
{
"type": "WEB",
"url": "https://github.com/hotwired/turbo/releases/tag/v8.0.21"
},
{
"type": "WEB",
"url": "https://turbo.hotwired.dev/handbook/frames"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Turbo Frame responses can restore stale session cookies"
}
GHSA-QQ8M-9RPX-W2FM
Vulnerability from github – Published: 2023-08-06 03:30 – Updated: 2023-08-09 14:30Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.2.11. This vulnerability allows a user's session to remain valid even after the user has logged out, potentially granting unauthorized access to sensitive areas and functionalities.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "admidio/admidio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-4190"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-09T14:30:23Z",
"nvd_published_at": "2023-08-06T01:15:10Z",
"severity": "MODERATE"
},
"details": "Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.2.11. This vulnerability allows a user\u0027s session to remain valid even after the user has logged out, potentially granting unauthorized access to sensitive areas and functionalities.",
"id": "GHSA-qq8m-9rpx-w2fm",
"modified": "2023-08-09T14:30:23Z",
"published": "2023-08-06T03:30:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4190"
},
{
"type": "WEB",
"url": "https://github.com/admidio/admidio/commit/391fb2af5bee641837a58e7dd66ff76eac92bb74"
},
{
"type": "PACKAGE",
"url": "https://github.com/admidio/admidio"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/71bc75d2-320c-4332-ad11-9de535a06d92"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Admidio Insufficient Session Expiration vulnerability"
}
GHSA-QQFM-8GGF-XPCH
Vulnerability from github – Published: 2022-05-07 00:00 – Updated: 2022-05-17 00:00HCL Commerce is affected by an Insufficient Session Expiration vulnerability. After the session expires, in some circumstances, parts of the application are still accessible.
{
"affected": [],
"aliases": [
"CVE-2021-27751"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-06T18:15:00Z",
"severity": "LOW"
},
"details": "HCL Commerce is affected by an Insufficient Session Expiration vulnerability. After the session expires, in some circumstances, parts of the application are still accessible.",
"id": "GHSA-qqfm-8ggf-xpch",
"modified": "2022-05-17T00:00:53Z",
"published": "2022-05-07T00:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27751"
},
{
"type": "WEB",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097650"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QRFJ-W3WQ-P623
Vulnerability from github – Published: 2025-04-01 18:30 – Updated: 2025-04-01 21:31A session management flaw in Nagios Network Analyzer 2024R1.0.3 allows an attacker to reuse session tokens even after a user logs out, leading to unauthorized access and account takeover. This occurs due to insufficient session expiration, where session tokens remain valid beyond logout, allowing an attacker to impersonate users and perform actions on their behalf.
{
"affected": [],
"aliases": [
"CVE-2025-28132"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-01T17:15:46Z",
"severity": "MODERATE"
},
"details": "A session management flaw in Nagios Network Analyzer 2024R1.0.3 allows an attacker to reuse session tokens even after a user logs out, leading to unauthorized access and account takeover. This occurs due to insufficient session expiration, where session tokens remain valid beyond logout, allowing an attacker to impersonate users and perform actions on their behalf.",
"id": "GHSA-qrfj-w3wq-p623",
"modified": "2025-04-01T21:31:27Z",
"published": "2025-04-01T18:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-28132"
},
{
"type": "WEB",
"url": "https://github.com/harshal79/Insufficient-Session-Expiration.git"
},
{
"type": "WEB",
"url": "https://www.nagios.com/changelog/#network-analyzer"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QRV8-99H7-2C7V
Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13An insufficient session expiration vulnerability exists in the "Fish | Hunt FL" iOS app version 3.8.0 and earlier, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions.
{
"affected": [],
"aliases": [
"CVE-2021-33982"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-08T17:15:00Z",
"severity": "HIGH"
},
"details": "An insufficient session expiration vulnerability exists in the \"Fish | Hunt FL\" iOS app version 3.8.0 and earlier, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions.",
"id": "GHSA-qrv8-99h7-2c7v",
"modified": "2022-05-24T19:13:20Z",
"published": "2022-05-24T19:13:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33982"
},
{
"type": "WEB",
"url": "https://gist.github.com/p4lsec/1f024d96b44ea733cdae0605c7ce8a49"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QW2F-33VP-25MQ
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16An insufficient session expiration vulnerability [CWE- 613] in FortiClientEMS versions 6.4.2 and below, 6.2.8 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks)
{
"affected": [],
"aliases": [
"CVE-2021-24019"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-06T10:15:00Z",
"severity": "CRITICAL"
},
"details": "An insufficient session expiration vulnerability [CWE- 613] in FortiClientEMS versions 6.4.2 and below, 6.2.8 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks)",
"id": "GHSA-qw2f-33vp-25mq",
"modified": "2022-05-24T19:16:50Z",
"published": "2022-05-24T19:16:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24019"
},
{
"type": "WEB",
"url": "https://fortiguard.com/advisory/FG-IR-20-072"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QWRJ-9HMP-GPXH
Vulnerability from github – Published: 2022-07-15 18:10 – Updated: 2023-02-09 20:22Impact
Authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire. Using flyteadmin as the OAuth2 Authorization Server is unaffected by this issue.
Patches
1.1.30
Workarounds
Rotating signing keys immediately will: * Invalidate all open sessions, * Force all users to attempt to obtain new tokens.
Continue to rotate keys until flyteadmin has been upgraded,
Hide flyteadmin deployment ingress url from the internet.
References
https://github.com/flyteorg/flyteadmin/pull/455
For more information
If you have any questions or comments about this advisory: * Open an issue in flyte repo * Email us at flyte
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/flyteorg/flyteadmin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31145"
],
"database_specific": {
"cwe_ids": [
"CWE-298",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-15T18:10:48Z",
"nvd_published_at": "2022-07-13T21:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nAuthenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire.\nUsing flyteadmin as the OAuth2 Authorization Server is unaffected by this issue.\n\n### Patches\n1.1.30\n\n### Workarounds\nRotating signing keys immediately will:\n* Invalidate all open sessions,\n* Force all users to attempt to obtain new tokens.\n\nContinue to rotate keys until flyteadmin has been upgraded,\n\nHide flyteadmin deployment ingress url from the internet.\n\n### References\nhttps://github.com/flyteorg/flyteadmin/pull/455\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [flyte repo](https://github.com/flyteorg/flyte/issues)\n* Email us at [flyte](mailto:admin@flyte.org)\n",
"id": "GHSA-qwrj-9hmp-gpxh",
"modified": "2023-02-09T20:22:10Z",
"published": "2022-07-15T18:10:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/flyteorg/flyteadmin/security/advisories/GHSA-qwrj-9hmp-gpxh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31145"
},
{
"type": "WEB",
"url": "https://github.com/flyteorg/flyteadmin/pull/455"
},
{
"type": "WEB",
"url": "https://github.com/flyteorg/flyteadmin/commit/a1ec282d02706e074bc4986fd0412e5da3b9d00a"
},
{
"type": "PACKAGE",
"url": "https://github.com/flyteorg/flyteadmin"
},
{
"type": "WEB",
"url": "https://github.com/flyteorg/flyteadmin/releases/tag/v1.1.31"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-0519"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "FlyteAdmin Insufficient AccessToken Expiration Check"
}
GHSA-QX8P-7XC2-FW37
Vulnerability from github – Published: 2022-05-14 03:41 – Updated: 2022-05-14 03:41Improper administrator IP validation after his login in the HTTPd server in all current versions (<= 3.0.0.4.380.7743) of Asus asuswrt allows an unauthorized user to execute any action knowing administrator session token by using a specific User-Agent string.
{
"affected": [],
"aliases": [
"CVE-2017-15653"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-31T20:29:00Z",
"severity": "HIGH"
},
"details": "Improper administrator IP validation after his login in the HTTPd server in all current versions (\u003c= 3.0.0.4.380.7743) of Asus asuswrt allows an unauthorized user to execute any action knowing administrator session token by using a specific User-Agent string.",
"id": "GHSA-qx8p-7xc2-fw37",
"modified": "2022-05-14T03:41:35Z",
"published": "2022-05-14T03:41:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15653"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/145921/ASUSWRT-3.0.0.4.382.18495-Session-Hijacking-Information-Disclosure.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2018/Jan/63"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.