{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4754", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "state": "PUBLISHED", "assignerShortName": "EEF", "dateReserved": "2025-05-15T09:03:11.355Z", "datePublished": "2025-06-17T14:31:37.006Z", "dateUpdated": "2026-04-06T16:44:00.150Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.hex.pm", "cpes": ["cpe:2.3:a:team-alembic:ash_authentication_phoenix:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "packageName": "ash_authentication_phoenix", "packageURL": "pkg:hex/ash_authentication_phoenix", "product": "ash_authentication_phoenix", "programFiles": ["lib/ash_authentication_phoenix/controller.ex"], "repo": "https://github.com/team-alembic/ash_authentication_phoenix", "vendor": "ash-project", "versions": [{"lessThan": "2.10.0", "status": "affected", "version": "0", "versionType": "semver"}]}, {"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:team-alembic:ash_authentication_phoenix:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "packageName": "team-alembic/ash_authentication_phoenix", "packageURL": "pkg:github/team-alembic/ash_authentication_phoenix", "product": "ash_authentication_phoenix", "programFiles": ["lib/ash_authentication_phoenix/controller.ex"], "repo": "https://github.com/team-alembic/ash_authentication_phoenix", "vendor": "ash-project", "versions": [{"lessThan": "a3253fb4fc7145aeb403537af1c24d3a8d51ffb1", "status": "affected", "version": "0", "versionType": "git"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:team-alembic:ash_authentication_phoenix:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.10.0", "vulnerable": true}], "negate": false, "operator": "AND"}], "operator": "AND"}], "credits": [{"lang": "en", "type": "remediation reviewer", "value": "James Harton"}, {"lang": "en", "type": "remediation developer", "value": "Zach Daniel"}, {"lang": "en", "type": "analyst", "value": "Mike Buhot"}, {"lang": "en", "type": "analyst", "value": "Jonatan M\u00e4nnchen"}, {"lang": "en", "type": "analyst", "value": "Josh Price"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Insufficient Session Expiration vulnerability in ash-project ash_authentication_phoenix allows Session Hijacking.<p> This vulnerability is associated with program files <tt>lib/ash_authentication_phoenix/controller.ex</tt>.</p><p>This issue affects ash_authentication_phoenix until 2.10.0.</p>"}], "value": "Insufficient Session Expiration vulnerability in ash-project ash_authentication_phoenix allows Session Hijacking. This vulnerability is associated with program files lib/ash_authentication_phoenix/controller.ex.\n\nThis issue affects ash_authentication_phoenix until 2.10.0."}], "impacts": [{"capecId": "CAPEC-593", "descriptions": [{"lang": "en", "value": "CAPEC-593 Session Hijacking"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 2.3, "baseSeverity": "LOW", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "description": "CWE-613 Insufficient Session Expiration", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-04-06T16:44:00.150Z"}, "references": [{"tags": ["vendor-advisory", "related"], "url": "https://github.com/team-alembic/ash_authentication_phoenix/security/advisories/GHSA-f7gq-h8jv-h3cq"}, {"tags": ["related"], "url": "https://cna.erlef.org/cves/CVE-2025-4754.html"}, {"tags": ["related"], "url": "https://osv.dev/vulnerability/EEF-CVE-2025-4754"}, {"tags": ["patch"], "url": "https://github.com/team-alembic/ash_authentication_phoenix/pull/634"}, {"tags": ["patch"], "url": "https://github.com/team-alembic/ash_authentication_phoenix/commit/a3253fb4fc7145aeb403537af1c24d3a8d51ffb1"}], "source": {"discovery": "UNKNOWN"}, "title": "Missing Session Revocation on Logout in ash_authentication_phoenix", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-17T14:40:37.216297Z", "id": "CVE-2025-4754", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T14:41:09.297Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4754", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-17T14:40:37.216297Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T14:40:40.526Z"}}], "cna": {"title": "Missing Session Revocation on Logout in ash_authentication_phoenix", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "remediation reviewer", "value": "James Harton"}, {"lang": "en", "type": "remediation developer", "value": "Zach Daniel"}, {"lang": "en", "type": "analyst", "value": "Mike Buhot"}, {"lang": "en", "type": "analyst", "value": "Jonatan M\u00e4nnchen"}, {"lang": "en", "type": "analyst", "value": "Josh Price"}], "impacts": [{"capecId": "CAPEC-593", "descriptions": [{"lang": "en", "value": "CAPEC-593 Session Hijacking"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:team-alembic:ash_authentication_phoenix:*:*:*:*:*:*:*:*"], "repo": "https://github.com/team-alembic/ash_authentication_phoenix", "vendor": "ash-project", "product": "ash_authentication_phoenix", "versions": [{"status": "affected", "version": "0", "lessThan": "2.10.0", "versionType": "semver"}], "packageURL": "pkg:hex/ash_authentication_phoenix", "packageName": "ash_authentication_phoenix", "programFiles": ["lib/ash_authentication_phoenix/controller.ex"], "collectionURL": "https://repo.hex.pm", "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:a:team-alembic:ash_authentication_phoenix:*:*:*:*:*:*:*:*"], "repo": "https://github.com/team-alembic/ash_authentication_phoenix", "vendor": "ash-project", "product": "ash_authentication_phoenix", "versions": [{"status": "affected", "version": "0", "lessThan": "a3253fb4fc7145aeb403537af1c24d3a8d51ffb1", "versionType": "git"}], "packageURL": "pkg:github/team-alembic/ash_authentication_phoenix", "packageName": "team-alembic/ash_authentication_phoenix", "programFiles": ["lib/ash_authentication_phoenix/controller.ex"], "collectionURL": "https://github.com", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/team-alembic/ash_authentication_phoenix/security/advisories/GHSA-f7gq-h8jv-h3cq", "tags": ["vendor-advisory", "related"]}, {"url": "https://cna.erlef.org/cves/CVE-2025-4754.html", "tags": ["related"]}, {"url": "https://osv.dev/vulnerability/EEF-CVE-2025-4754", "tags": ["related"]}, {"url": "https://github.com/team-alembic/ash_authentication_phoenix/pull/634", "tags": ["patch"]}, {"url": "https://github.com/team-alembic/ash_authentication_phoenix/commit/a3253fb4fc7145aeb403537af1c24d3a8d51ffb1", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Insufficient Session Expiration vulnerability in ash-project ash_authentication_phoenix allows Session Hijacking. This vulnerability is associated with program files lib/ash_authentication_phoenix/controller.ex.\n\nThis issue affects ash_authentication_phoenix until 2.10.0.", "supportingMedia": [{"type": "text/html", "value": "Insufficient Session Expiration vulnerability in ash-project ash_authentication_phoenix allows Session Hijacking.<p> This vulnerability is associated with program files <tt>lib/ash_authentication_phoenix/controller.ex</tt>.</p><p>This issue affects ash_authentication_phoenix until 2.10.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-613", "description": "CWE-613 Insufficient Session Expiration"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:team-alembic:ash_authentication_phoenix:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.10.0"}], "operator": "AND"}], "operator": "AND"}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-04-06T16:44:00.150Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4754", "state": "PUBLISHED", "dateUpdated": "2026-04-06T16:44:00.150Z", "dateReserved": "2025-05-15T09:03:11.355Z", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "datePublished": "2025-06-17T14:31:37.006Z", "assignerShortName": "EEF"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient Session Expiration vulnerability in ash-project ash_authentication_phoenix allows Session Hijacking. This vulnerability is associated with program files lib/ash_authentication_phoenix/controller.ex.\n\nThis issue affects ash_authentication_phoenix until 2.10.0."}, {"lang": "es", "value": "La vulnerabilidad de expiraci\u00f3n de sesi\u00f3n insuficiente en el proyecto ash_authentication_phoenix permite el secuestro de sesiones. Esta vulnerabilidad est\u00e1 asociada a los archivos de programa lib/ash_authentication_phoenix/controller.ex. Este problema afecta a ash_authentication_phoenix hasta la versi\u00f3n 2.10.0."}], "id": "CVE-2025-4754", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}, "published": "2025-06-17T15:15:53.273", "references": [{"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://cna.erlef.org/cves/CVE-2025-4754.html"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://github.com/team-alembic/ash_authentication_phoenix/commit/a3253fb4fc7145aeb403537af1c24d3a8d51ffb1"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://github.com/team-alembic/ash_authentication_phoenix/pull/634"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://github.com/team-alembic/ash_authentication_phoenix/security/advisories/GHSA-f7gq-h8jv-h3cq"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://osv.dev/vulnerability/EEF-CVE-2025-4754"}], "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T11:14:18.760836+00:00", "value": {"mitigation_remediation": ["Update Ash Authentication Phoenix to the latest release (any version newer than 2.10.0) that includes the session\u2011revocation fix.", "Verify that the logout endpoints in your application explicitly clear or destroy session tokens and that no residual session data remains after logout.", "If an immediate upgrade is not possible, enforce short session timeouts on the client side and require re\u2011authentication for sensitive actions to limit the window in which a hijacked session could be used."], "summary": {"action": "Apply\u00a0Patch", "impact": "Session\u00a0Hijacking due to missing logout session revocation"}, "threat_synthesis": {"affected_systems": "The flaw affects the Ash Authentication Phoenix library from the Ash Project. All releases up to and including version 2.10.0 are impacted. Organizations using this library in any environment\u2014web or otherwise\u2014are at risk unless the software is upgraded beyond version 2.10.0.", "description_and_impact": "The vulnerability is an insufficient session expiration flaw that permits a session cookie to remain valid after a user logs out. This flaw allows an attacker who obtains a valid session token to continue using the session, effectively enabling session hijacking. The weakness is classified as CWE\u2011613, which indicates improper removal or invalidation of a credential after its intended use.", "risk_and_exploitability": "The CVSS score of 2.3 reflects a low severity as the vulnerability does not directly lead to remote code execution or full system compromise. The EPSS score of less than 1\u202f% indicates a very low probability of exploitation in the wild, and the flaw is not listed in CISA\u2019s KEV catalog. In practice, an attacker would need to acquire a valid session cookie, possibly through another vulnerability, to exploit the flaw. Once in possession of the cookie, the attacker can replay the session after logout, underscoring the importance of proper session invalidation."}}}}, "created": "2026-04-28T11:15:26.099683+00:00", "updated": "2026-04-28T11:15:26.099694+00:00", "vendors": []}