CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-4754: Missing Session Revocation on Logout in ash_authentication_phoenix

2.3 CVSS

Description

Insufficient Session Expiration vulnerability in ash-project ash_authentication_phoenix allows Session Hijacking. This vulnerability is associated with program files lib/ash_authentication_phoenix/controller.ex.

This issue affects ash_authentication_phoenix until 2.10.0.

Classification

CVE ID: CVE-2025-4754

CVSS Base Severity: LOW

CVSS Base Score: 2.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem Types

CWE-613 Insufficient Session Expiration

Affected Products

Vendor: ash-project

Product: ash_authentication_phoenix

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.1% (probability of being exploited)

EPSS Percentile: 28.38% (scored less or equal to compared to others)

EPSS Date: 2025-06-25 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-4754
https://github.com/team-alembic/ash_authentication_phoenix/security/advisories/GHSA-f7gq-h8jv-h3cq
https://github.com/team-alembic/ash_authentication_phoenix/pull/634

Timeline

2025-06-17 15:40:12 UTC
CVE

Missing Session Revocation on Logout in ash_authentication_phoenix