CVE-2025-4754 LOW

CVE-2025-4754: Missing Session Revocation on Logout in ash_authentication_phoenix

Vendor Ash-Project
Product ash_authentication_phoenix
Weakness CWE-613 · Insufficient session expiration
Published June 17, 2025
Last update May 27, 2026

CVSS base score

2.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Insufficient Session Expiration vulnerability in ash-project ash_authentication_phoenix allows Session Hijacking. This vulnerability is associated with program files lib/ash_authentication_phoenix/controller.ex. This issue affects ash_authentication_phoenix until 2.10.0.

Key dates

02Disclosure timeline

June 17, 2025 CVE published
May 27, 2026 Record updated