CVE-2025-4754 identifies a vulnerability classified under CWE-613 (Insufficient Session Expiration) in the ash_authentication_phoenix component of the ash-project, an Elixir-based authentication library. The vulnerability is located in the lib/ash_authentication_phoenix/controller.ex file and affects all versions up to 2.10.0. The core issue is that session tokens or identifiers are not invalidated or expired properly after a certain period or upon logout, allowing an attacker who obtains a valid session token to hijack the session and impersonate the legitimate user. The vulnerability can be exploited remotely over the network without requiring privileges but does require user interaction, such as clicking a malicious link or performing an action that triggers session reuse. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), partial attack traceability (AT:P), no privileges required (PR:N), user interaction required (UI:P), low impact on confidentiality and integrity (VC:L, VI:L), and no impact on availability (VA:N). No known exploits have been reported in the wild, and no patches are currently linked, indicating that mitigation may require manual configuration or updates once available. The vulnerability poses a risk primarily to applications and services that rely on ash_authentication_phoenix for session management and authentication, potentially exposing user accounts to session hijacking attacks if session expiration is not enforced properly.

The primary impact of this vulnerability is session hijacking, which can lead to unauthorized access to user accounts and sensitive information. While the CVSS score is low, the actual risk depends on the context of deployment and the sensitivity of the protected resources. Organizations using ash_authentication_phoenix in web applications or APIs may face risks of account compromise, especially if session tokens are long-lived or not invalidated after logout. This can undermine user trust, lead to data breaches, and potentially facilitate further attacks such as privilege escalation or data exfiltration. Since the vulnerability requires user interaction, phishing or social engineering could be used to exploit it. The lack of known exploits suggests limited current threat activity, but the vulnerability remains a latent risk until addressed. The impact is more pronounced in environments with high-value targets or where session management is critical for security compliance.

Organizations should immediately review their session management policies when using ash_authentication_phoenix and implement strict session expiration controls. This includes setting short session lifetimes, enforcing token invalidation upon logout, and monitoring for unusual session activity. Developers should upgrade to versions beyond 2.10.0 once patches are released or apply any available security updates promptly. In the interim, consider implementing additional layers of security such as multi-factor authentication (MFA) to reduce the risk of session hijacking. Employ secure cookie attributes (HttpOnly, Secure, SameSite) to protect session tokens from interception. Regularly audit session handling code and conduct penetration testing focused on session management. User education on phishing risks can reduce the likelihood of user interaction-based exploitation. Finally, monitor security advisories from ash-project for updates or patches addressing this vulnerability.