LIVE NEWSROOM · --:-- · May 24, 2026
A LIBRARY FOR SECURITY RESEARCHERS

CWE WEAKNESSES  /  CWE-613

CWE-613

Insufficient Session Expiration

Base

What it is

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Impact

Access ControlBypass Protection Mechanism

Mitigations

  • [Implementation] Set sessions/credentials expiration date.

Real-world CVE examples

  • CVE-2025-46344 — JavaScript SDK does not set an expiration time for JWE tokens related to a session
  • CVE-2024-8888 — Web interface for a power quality analyzer uses tokens without an expiration date
  • CVE-2024-35206 — network traffic analyzer for PROFINET networks does not expire sessions
  • CVE-2024-27782 — AI/ML monitor for IT operations allows re-use of old session tokens due to insufficient session expiration

Related weaknesses

Test & detect

Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.

Source: MITRE CWE. View on cwe.mitre.org →

Scroll to Top