Description
Insufficient Session Expiration vulnerability in ash-project ash_authentication_phoenix allows Session Hijacking. This vulnerability is associated with program files lib/ash_authentication_phoenix/controller.ex.

This issue affects ash_authentication_phoenix until 2.10.0.
Published: 2025-06-17
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Session Hijacking due to missing logout session revocation
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an insufficient session expiration flaw that permits a session cookie to remain valid after a user logs out. This flaw allows an attacker who obtains a valid session token to continue using the session, effectively enabling session hijacking. The weakness is classified as CWE‑613, which indicates improper removal or invalidation of a credential after its intended use.

Affected Systems

The flaw affects the Ash Authentication Phoenix library from the Ash Project. All releases up to and including version 2.10.0 are impacted. Organizations using this library in any environment—web or otherwise—are at risk unless the software is upgraded beyond version 2.10.0.

Risk and Exploitability

The CVSS score of 2.3 reflects a low severity as the vulnerability does not directly lead to remote code execution or full system compromise. The EPSS score of less than 1 % indicates a very low probability of exploitation in the wild, and the flaw is not listed in CISA’s KEV catalog. In practice, an attacker would need to acquire a valid session cookie, possibly through another vulnerability, to exploit the flaw. Once in possession of the cookie, the attacker can replay the session after logout, underscoring the importance of proper session invalidation.

Generated by OpenCVE AI on April 28, 2026 at 11:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Ash Authentication Phoenix to the latest release (any version newer than 2.10.0) that includes the session‑revocation fix.
  • Verify that the logout endpoints in your application explicitly clear or destroy session tokens and that no residual session data remains after logout.
  • If an immediate upgrade is not possible, enforce short session timeouts on the client side and require re‑authentication for sensitive actions to limit the window in which a hijacked session could be used.

Generated by OpenCVE AI on April 28, 2026 at 11:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18506 ash_authentication_phoenix has Insufficient Session Expiration
Github GHSA Github GHSA GHSA-f7gq-h8jv-h3cq ash_authentication_phoenix has Insufficient Session Expiration
History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
References

Tue, 02 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Team-alembic
Team-alembic ash Authentication Phoenix
CPEs cpe:2.3:a:team-alembic:ash_authentication_phoenix:*:*:*:*:*:*:*:*
Vendors & Products Team-alembic
Team-alembic ash Authentication Phoenix

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00153}

 epss

{'score': 0.00192}

Fri, 04 Jul 2025 09:30:00 +0000

Type Values Removed Values Added
References

Tue, 17 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Jun 2025 14:45:00 +0000

Type Values Removed Values Added
Description Insufficient Session Expiration vulnerability in ash-project ash_authentication_phoenix allows Session Hijacking. This vulnerability is associated with program files lib/ash_authentication_phoenix/controller.ex. This issue affects ash_authentication_phoenix until 2.10.0.
Title Missing Session Revocation on Logout in ash_authentication_phoenix
Weaknesses CWE-613
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Team-alembic Ash Authentication Phoenix
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-04-06T16:44:00.150Z

Reserved: 2025-05-15T09:03:11.355Z

Link: CVE-2025-4754

cve-icon Vulnrichment

Updated: 2025-06-17T14:40:40.526Z

cve-icon NVD

Status : Deferred

Published: 2025-06-17T15:15:53.273

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4754

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T11:15:26Z

Weaknesses