Insufficient Session Expiration Vulnerability in Ash Project Authentication Tool by Alembic
CVE-2025-4754

2.3LOW

Key Information:

Vendor: Ash-project
Status: Ash Authentication Phoenix
Vendor: CVE Published:; 17 June 2025

🔔 Create Ash-project Vulnerability Alert

What is CVE-2025-4754?

The Ash Project's ash_authentication_phoenix tool contains a vulnerability that allows session hijacking due to insufficient session expiration mechanisms. This flaw can potentially allow unauthorized users to maintain active sessions, compromising user data and application security. The impacted versions include all prior to 2.10.0, highlighting the need for immediate updates to secure sessions effectively.

Affected Version(s)

ash_authentication_phoenix pkg:hex/ash_authentication_phoenix@0

ash_authentication_phoenix 0 < 2.10.0

ash_authentication_phoenix 0

References

https://github.com/team-alembic/ash_authentication_phoeni...

vendor-advisory

https://github.com/team-alembic/ash_authentication_phoeni...

patch

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2025
Vulnerability Reserved
May 15, 2025

Credit

James Harton

Zach Daniel

Mike Buhot

Jonatan Männchen

Josh Price