CVE-2025-12624: CWE-613: Insufficient Session Expiration in WSO2 WSO2 Identity Server
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security consequence is that a locked user account can maintain access to protected resources through the use of existing, unexpired access tokens. This creates a security gap where access control policies are bypassed, potentially leading to unauthorized data access or actions until the tokens naturally expire.
AI Analysis
Technical Summary
This vulnerability (CWE-613) in WSO2 Identity Server 5.2.0 involves insufficient session expiration controls. When a user account is locked, the system fails to revoke or invalidate active access tokens associated with that account. Consequently, these tokens remain valid and usable, allowing continued access to protected resources despite the account being locked. The CVSS 3.1 score is 6.0 (medium severity), reflecting network attack vector, high attack complexity, low privileges required, no user interaction, and partial impact on confidentiality, integrity, and availability.
Potential Impact
The impact is that locked user accounts can maintain access to protected resources using existing valid tokens, effectively bypassing the intended access control restrictions. This could lead to unauthorized data access or actions until the tokens expire naturally. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround has been documented. Users should monitor vendor communications for updates and consider additional compensating controls to limit token lifetime or enforce manual token revocation upon account lock if feasible.
CVE-2025-12624: CWE-613: Insufficient Session Expiration in WSO2 WSO2 Identity Server
Description
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security consequence is that a locked user account can maintain access to protected resources through the use of existing, unexpired access tokens. This creates a security gap where access control policies are bypassed, potentially leading to unauthorized data access or actions until the tokens naturally expire.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CWE-613) in WSO2 Identity Server 5.2.0 involves insufficient session expiration controls. When a user account is locked, the system fails to revoke or invalidate active access tokens associated with that account. Consequently, these tokens remain valid and usable, allowing continued access to protected resources despite the account being locked. The CVSS 3.1 score is 6.0 (medium severity), reflecting network attack vector, high attack complexity, low privileges required, no user interaction, and partial impact on confidentiality, integrity, and availability.
Potential Impact
The impact is that locked user accounts can maintain access to protected resources using existing valid tokens, effectively bypassing the intended access control restrictions. This could lead to unauthorized data access or actions until the tokens expire naturally. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround has been documented. Users should monitor vendor communications for updates and consider additional compensating controls to limit token lifetime or enforce manual token revocation upon account lock if feasible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- WSO2
- Date Reserved
- 2025-11-03T06:20:27.950Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e0be2882d89c981f771dd6
Added to database: 4/16/2026, 10:47:04 AM
Last enriched: 4/16/2026, 11:01:53 AM
Last updated: 4/17/2026, 6:19:01 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.