CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
875 vulnerabilities reference this CWE, most recent first.
GHSA-PJ27-2XVP-4QXG
Vulnerability from github – Published: 2024-05-21 18:09 – Updated: 2024-05-22 13:26Impact
When restoring the cookie from the session store, the expires field is overriden if the maxAge field was set.
This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed.
Patches
Updating to v10.9.0 will solve this.
Workarounds
None
References
Publicly reported at: https://github.com/fastify/session/issues/251
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@fastify/session"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-35220"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-21T18:09:57Z",
"nvd_published_at": "2024-05-21T21:15:08Z",
"severity": "HIGH"
},
"details": "### Impact\n\nWhen restoring the cookie from the session store, the `expires` field is overriden if the `maxAge` field was set.\nThis means a cookie is never correctly detected as expired and thus expired sessions are not destroyed.\n\n### Patches\n\nUpdating to v10.9.0 will solve this.\n\n### Workarounds\n\nNone\n\n### References\n\nPublicly reported at: https://github.com/fastify/session/issues/251",
"id": "GHSA-pj27-2xvp-4qxg",
"modified": "2024-05-22T13:26:11Z",
"published": "2024-05-21T18:09:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fastify/session/security/advisories/GHSA-pj27-2xvp-4qxg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35220"
},
{
"type": "WEB",
"url": "https://github.com/fastify/session/issues/251"
},
{
"type": "WEB",
"url": "https://github.com/fastify/session/commit/0495ce5b534c4550f25228821db8098293439f2f"
},
{
"type": "PACKAGE",
"url": "https://github.com/fastify/session"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "@fastify/session reuses destroyed session cookie"
}
GHSA-PJR6-JX7R-J4R6
Vulnerability from github – Published: 2025-04-29 18:54 – Updated: 2025-04-30 17:25Overview
Auth0 NextJS v4.0.1 to v4.5.0 does not invoke .setExpirationTime when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid.
Am I Affected?
You are affected if you are using Auth0 NextJS SDK v4.
Fix
Upgrade to v4.5.1.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@auth0/nextjs-auth0"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.1"
},
{
"fixed": "4.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-46344"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-29T18:54:49Z",
"nvd_published_at": "2025-04-29T21:15:51Z",
"severity": "MODERATE"
},
"details": "### Overview\nAuth0 NextJS `v4.0.1` to `v4.5.0` does not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid.\n\n### Am I Affected?\nYou are affected if you are using Auth0 NextJS SDK v4.\n\n### Fix\nUpgrade to `v4.5.1`.",
"id": "GHSA-pjr6-jx7r-j4r6",
"modified": "2025-04-30T17:25:56Z",
"published": "2025-04-29T18:54:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-pjr6-jx7r-j4r6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46344"
},
{
"type": "WEB",
"url": "https://github.com/auth0/nextjs-auth0/commit/a4f061aed02ffa132feca8adfbd11704df17e1c3"
},
{
"type": "PACKAGE",
"url": "https://github.com/auth0/nextjs-auth0"
},
{
"type": "WEB",
"url": "https://github.com/auth0/nextjs-auth0/releases/tag/v4.5.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Auth0 NextJS SDK v4 Missing Session Invalidation"
}
GHSA-PRQ9-W4J8-GG56
Vulnerability from github – Published: 2025-01-07 09:30 – Updated: 2025-07-29 21:30: Insufficient Session Expiration vulnerability in Progress Sitefinity allows : Session Fixation.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421.
{
"affected": [],
"aliases": [
"CVE-2024-11627"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-07T08:15:24Z",
"severity": "MODERATE"
},
"details": ": Insufficient Session Expiration vulnerability in Progress Sitefinity allows : Session Fixation.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327,\u00a0from 15.2.8400 through 15.2.8421.",
"id": "GHSA-prq9-w4j8-gg56",
"modified": "2025-07-29T21:30:33Z",
"published": "2025-01-07T09:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11627"
},
{
"type": "WEB",
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-11625-and-CVE-2024-11626-January-2025"
},
{
"type": "WEB",
"url": "https://www.progress.com/sitefinity-cms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PVJ4-5RHW-5CWW
Vulnerability from github – Published: 2024-08-14 15:31 – Updated: 2024-08-19 18:32The Central Manager user session refresh token does not expire when a user logs out. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
{
"affected": [],
"aliases": [
"CVE-2024-39809"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-14T15:15:26Z",
"severity": "HIGH"
},
"details": "The Central Manager user session refresh token does not expire when a user logs out.\u00a0\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated",
"id": "GHSA-pvj4-5rhw-5cww",
"modified": "2024-08-19T18:32:05Z",
"published": "2024-08-14T15:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39809"
},
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K000140111"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PW3R-X83P-53F3
Vulnerability from github – Published: 2025-07-28 18:31 – Updated: 2025-07-28 18:31Improper session invalidation in the component /library/change-password.php of PHPGurukul Online Library Management System v3.0 allows attackers to execute a session hijacking attack.
{
"affected": [],
"aliases": [
"CVE-2025-50488"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-28T18:15:25Z",
"severity": "HIGH"
},
"details": "Improper session invalidation in the component /library/change-password.php of PHPGurukul Online Library Management System v3.0 allows attackers to execute a session hijacking attack.",
"id": "GHSA-pw3r-x83p-53f3",
"modified": "2025-07-28T18:31:29Z",
"published": "2025-07-28T18:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50488"
},
{
"type": "WEB",
"url": "https://github.com/VasilVK/CVE/tree/main/CVE-2025-50488"
},
{
"type": "WEB",
"url": "http://online.com"
},
{
"type": "WEB",
"url": "http://phpgurukul.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q43Q-MP42-75VM
Vulnerability from github – Published: 2025-04-09 15:32 – Updated: 2025-04-09 15:32Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).This issue affects Sitefinity: from 14.0 through 14.3, from 14.4 before 14.4.8145, from 15.0 before 15.0.8231, from 15.1 before 15.1.8332, from 15.2 before 15.2.8429.
{
"affected": [],
"aliases": [
"CVE-2025-1968"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-09T14:15:27Z",
"severity": "HIGH"
},
"details": "Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).This issue affects Sitefinity: from 14.0 through 14.3, from 14.4 before 14.4.8145, from 15.0 before 15.0.8231, from 15.1 before 15.1.8332, from 15.2 before 15.2.8429.",
"id": "GHSA-q43q-mp42-75vm",
"modified": "2025-04-09T15:32:23Z",
"published": "2025-04-09T15:32:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1968"
},
{
"type": "WEB",
"url": "https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerability-CVE-2025-1968-April-2025"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-Q59R-M5G9-6M54
Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30An insufficient session expiration vulnerability [CWE-613] and an incorrect authorization vulnerability [CWE-863] in FortiIsolator 2.4.0 through 2.4.4, 2.3 all versions, 2.2.0, 2.1 all versions, 2.0 all versions authentication mechanism may allow remote unauthenticated attacker to deauthenticate logged in admins via crafted cookie and remote authenticated read-only attacker to gain write privilege via crafted cookie.
{
"affected": [],
"aliases": [
"CVE-2024-33507"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T16:15:34Z",
"severity": "HIGH"
},
"details": "An insufficient session expiration vulnerability [CWE-613] and an incorrect authorization vulnerability [CWE-863] in FortiIsolator 2.4.0 through 2.4.4, 2.3 all versions, 2.2.0, 2.1 all versions, 2.0 all versions authentication mechanism may allow remote unauthenticated attacker to deauthenticate logged in admins via crafted cookie and remote authenticated read-only attacker to gain write privilege via crafted cookie.",
"id": "GHSA-q59r-m5g9-6m54",
"modified": "2025-10-14T18:30:27Z",
"published": "2025-10-14T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33507"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-062"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q6JW-JGGW-87G5
Vulnerability from github – Published: 2023-09-14 18:32 – Updated: 2024-04-04 07:40A vulnerability has been identified in QMS Automotive (All versions < V12.39). The QMS.Mobile module of the affected application does not invalidate the session token on logout. This could allow an attacker to perform session hijacking attacks.
{
"affected": [],
"aliases": [
"CVE-2023-40732"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-12T10:15:29Z",
"severity": "LOW"
},
"details": "A vulnerability has been identified in QMS Automotive (All versions \u003c V12.39). The QMS.Mobile module of the affected application does not invalidate the session token on logout. This could allow an attacker to perform session hijacking attacks.",
"id": "GHSA-q6jw-jggw-87g5",
"modified": "2024-04-04T07:40:44Z",
"published": "2023-09-14T18:32:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40732"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-147266.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q8FF-7FFM-M3R9
Vulnerability from github – Published: 2026-05-05 18:42 – Updated: 2026-05-19 15:56Summary
OpenClaw webhooks allowed route secrets to be backed by SecretRef values, but cached the resolved secret for a route. After an operator rotated the underlying secret and ran openclaw secrets reload, the previous resolved webhook secret could remain valid until the plugin or gateway restarted.
Impact
An attacker who already had a previously valid webhook route secret could continue authenticating webhook requests after the operator rotated the secret and reloaded secrets. This weakened credential rotation for webhook routes and could allow continued invocation of the configured webhook task flow until restart.
Affected Packages / Versions
- Package:
openclawon npm - Affected: versions before
2026.4.23 - Fixed:
2026.4.23 - Latest stable verified fixed:
openclaw@2026.4.23, tagv2026.4.23
Fix
Webhook route authentication now resolves SecretRef-backed route secrets on each request. A rotated secret becomes effective after openclaw secrets reload without requiring a gateway or plugin restart, and the old secret is rejected.
Fix Commit(s)
36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa(fix(webhooks): reload route secrets per request)
Severity
Severity remains medium. The attack requires possession of a previously valid route secret, but the stale credential can continue to authorize webhook actions after rotation.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.23"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45005"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T18:42:51Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nOpenClaw webhooks allowed route secrets to be backed by `SecretRef` values, but cached the resolved secret for a route. After an operator rotated the underlying secret and ran `openclaw secrets reload`, the previous resolved webhook secret could remain valid until the plugin or gateway restarted.\n\n## Impact\n\nAn attacker who already had a previously valid webhook route secret could continue authenticating webhook requests after the operator rotated the secret and reloaded secrets. This weakened credential rotation for webhook routes and could allow continued invocation of the configured webhook task flow until restart.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` on npm\n- Affected: versions before `2026.4.23`\n- Fixed: `2026.4.23`\n- Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23`\n\n## Fix\n\nWebhook route authentication now resolves `SecretRef`-backed route secrets on each request. A rotated secret becomes effective after `openclaw secrets reload` without requiring a gateway or plugin restart, and the old secret is rejected.\n\n## Fix Commit(s)\n\n- `36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa` (`fix(webhooks): reload route secrets per request`)\n\n## Severity\n\nSeverity remains `medium`. The attack requires possession of a previously valid route secret, but the stale credential can continue to authorize webhook actions after rotation.",
"id": "GHSA-q8ff-7ffm-m3r9",
"modified": "2026-05-19T15:56:42Z",
"published": "2026-05-05T18:42:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q8ff-7ffm-m3r9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45005"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-webhook-route-secret-cache-not-invalidated-after-rotation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw\u0027s Webhooks SecretRef route secret remains valid after rotation/reload"
}
GHSA-Q929-G23J-2RC7
Vulnerability from github – Published: 2026-06-25 18:30 – Updated: 2026-06-26 09:30A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client's secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise.
{
"affected": [],
"aliases": [
"CVE-2026-9705"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T17:17:03Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Keycloak\u0027s client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client\u0027s secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise.",
"id": "GHSA-q929-g23j-2rc7",
"modified": "2026-06-26T09:30:46Z",
"published": "2026-06-25T18:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9705"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30084"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-9705"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481878"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.