CVE-2021-25940 is a high-severity vulnerability affecting ArangoDB versions 3.7.6 through 3.8.3. The issue is classified under CWE-613, which pertains to insufficient session expiration. Specifically, when an administrator changes a user's password in the affected versions of ArangoDB, the system fails to invalidate existing sessions associated with that user. This flaw allows an attacker who has an active session prior to the password change to continue operating within the system without re-authentication. Consequently, the attacker can perform arbitrary actions with the privileges of the compromised account, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has a CVSS v3.1 base score of 8.8, indicating high severity. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reveals that the attack can be executed remotely over the network with low attack complexity, requires privileges (i.e., the attacker must already have a valid session), does not require user interaction, and impacts confidentiality, integrity, and availability to a high degree. Although no known exploits are reported in the wild, the vulnerability poses a significant risk due to the persistence of sessions post-password change, undermining standard security controls. ArangoDB is a multi-model NoSQL database commonly used in enterprise environments for applications requiring flexible data models and high performance. The vulnerability affects session management mechanisms, a critical component for maintaining secure access control in database systems.

For European organizations utilizing ArangoDB within the affected versions, this vulnerability can lead to prolonged unauthorized access even after password resets, which are typically used to remediate compromised accounts. Attackers maintaining active sessions can exfiltrate sensitive data, manipulate or corrupt data integrity, and disrupt availability by executing arbitrary commands within the database environment. This risk is particularly acute for sectors handling sensitive or regulated data, such as finance, healthcare, telecommunications, and government agencies. The persistence of sessions despite password changes undermines incident response efforts and increases the window of exposure. Moreover, organizations relying on ArangoDB for critical infrastructure or services may face operational disruptions and compliance violations under GDPR and other data protection regulations if unauthorized access leads to data breaches. The vulnerability's exploitation could also facilitate lateral movement within networks if attackers leverage database access to escalate privileges or pivot to other systems.

To mitigate this vulnerability, European organizations should promptly upgrade ArangoDB to a version beyond 3.8.3 where the session expiration flaw is addressed. If immediate upgrading is not feasible, administrators should implement manual session invalidation procedures upon password changes, such as forcibly terminating all active sessions associated with the user account. This can be achieved by restarting the ArangoDB service or using administrative APIs or scripts to revoke session tokens. Additionally, organizations should enforce strict monitoring of session activity and implement anomaly detection to identify unusual or persistent sessions post-password reset. Integrating multi-factor authentication (MFA) at the application or database access layer can further reduce risk by requiring additional verification beyond session tokens. Regular auditing of user sessions and access logs is recommended to detect potential misuse. Finally, organizations should review and tighten privilege assignments to minimize the impact of compromised accounts and ensure that password change policies are coupled with session management controls.