CWE-613

Insufficient Session Expiration

Base

Incomplete

Description

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Parent Weaknesses (ChildOf)

CWE-672: Operation on a Resource after ...

Related Weaknesses

CWE-287 (CanPrecede)

Common Consequences

Scope

Access Control

Impact

Bypass Protection Mechanism

Potential Mitigations

Implementation

Set sessions/credentials expiration date.

CVE-2025-46344

JavaScript SDK does not set an expiration time for JWE tokens related to a session

CVE-2024-8888

Web interface for a power quality analyzer uses tokens without an expiration date

CVE-2024-35206

network traffic analyzer for PROFINET networks does not expire sessions

CVE-2024-27782

AI/ML monitor for IT operations allows re-use of old session tokens due to insufficient session expiration

Applicable Platforms

Not Language-Specific

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now