CWE · MITRE source
CWE-613Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (8)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
AC-11 | Device Lock | AC | Locks the device (typically after inactivity) until re-authentication, addressing insufficient session expiration by preventing indefinite access. |
AC-12 | Session Termination | AC | Automatically terminating sessions after a defined period directly enforces session expiration, preventing indefinite session lifetimes that attackers can exploit. |
SC-10 | Network Disconnect | SC | Directly enforces termination of network sessions after inactivity or end-of-session, preventing indefinite session lifetime. |
SC-45 | System Time Synchronization | SC | Consistent clocks across systems allow session expiration and timeout enforcement to function as intended in distributed environments. |
SI-14 | Non-persistence | SI | When the non-persistent artifact is a session or connection, mandatory termination implements the missing expiration that CWE-613 describes. |
SI-21 | Information Refresh | SI | Timed refresh of session-related information or on-demand generation plus deletion implements proper session expiration. |
IA-11 | Re-authentication | IA | Re-authentication after inactivity or time-based triggers prevents indefinite use of potentially hijacked or stale sessions. |
MA-4 | Nonlocal Maintenance | MA | Terminating sessions and network connections upon completion prevents insufficient session expiration. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2014-2595 | 5.4 | 9.8 | 0.5747 | 2020-02-12 |
CVE-2020-27422 | 2.6 | 9.8 | 0.1069 | 2020-11-16 |
CVE-2024-48827 | 2.6 | 8.8 | 0.1475 | 2024-10-11 |
CVE-2021-24019 | 2.5 | 8.1 | 0.1519 | 2021-10-06 |
CVE-2020-29667 | 2.2 | 9.8 | 0.0444 | 2020-12-10 |
CVE-2018-21018 | 2.1 | 9.8 | 0.0164 | 2019-09-22 |
CVE-2020-8234 | 2.1 | 9.8 | 0.0180 | 2020-08-21 |
CVE-2020-27739 | 2.1 | 9.8 | 0.0223 | 2020-10-28 |
CVE-2021-3311 | 2.1 | 9.8 | 0.0152 | 2021-02-05 |
CVE-2021-3144 | 2.1 | 9.1 | 0.0548 | 2021-02-27 |
CVE-2021-25981 | 2.1 | 9.8 | 0.0210 | 2022-01-03 |
CVE-2017-6529 | 2.0 | 8.8 | 0.0448 | 2017-03-09 |
CVE-2016-5069 | 2.0 | 9.8 | 0.0003 | 2017-04-10 |
CVE-2015-5171 | 2.0 | 9.8 | 0.0048 | 2017-10-24 |
CVE-2016-6545 | 2.0 | 9.8 | 0.0095 | 2018-07-13 |
CVE-2018-6634 | 2.0 | 9.8 | 0.0052 | 2019-05-07 |
CVE-2016-11014 | 2.0 | 9.8 | 0.0044 | 2019-10-16 |
CVE-2019-8149 | 2.0 | 9.8 | 0.0042 | 2019-11-06 |
CVE-2020-17474 | 2.0 | 9.8 | 0.0038 | 2020-08-14 |
CVE-2020-6649 | 2.0 | 9.8 | 0.0041 | 2021-02-08 |
CVE-2020-35358 | 2.0 | 9.8 | 0.0148 | 2021-03-15 |
CVE-2021-37333 | 2.0 | 9.8 | 0.0038 | 2021-10-04 |
CVE-2021-38823 | 2.0 | 9.8 | 0.0038 | 2021-10-04 |
CVE-2021-40849 | 2.0 | 9.8 | 0.0043 | 2021-11-03 |
CVE-2021-25979 | 2.0 | 9.8 | 0.0036 | 2021-11-08 |