Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Network-facing app exploited by an already-authenticated user (PR:L); reuse of a non-invalidated session yields full impersonation (C:H/I:H) with no availability impact (A:N).
Primary rating from Vendor (ibm).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionNVD
IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration which could allow an authenticated user to impersonate another user on the system.
AnalysisAI
Session hijacking in IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 allows an authenticated user to impersonate another user because session IDs are not invalidated after they expire (CWE-613). An attacker who obtains or reuses a stale session identifier can act with the victim's identity, producing high confidentiality and integrity impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
IBM DevOps Automation and IBM DevOps Loop are enterprise CI/CD and release-orchestration platforms (CPEs cpe:2.3:a:ibm:devops_automation and cpe:2.3:a:ibm:devops_loop). The root cause is CWE-613 (Insufficient Session Expiration): the application continues to honor session identifiers after their intended expiration window rather than invalidating them server-side. Because the session token is the authentication anchor for web requests, a session ID that stays valid past expiration becomes a reusable credential, decoupling authentication from any time limit and enabling impersonation if the token is captured, replayed, or otherwise reused.
RemediationAI
Apply the vendor patch referenced in IBM's advisory at https://www.ibm.com/support/pages/node/7277970 (Patch available per vendor advisory; an exact fixed version is not stated in the provided data, so confirm the target release on that page before deploying). Until patched, reduce exposure by shortening server-side session lifetimes and forcing re-authentication, ensuring sessions are destroyed server-side (not merely expired client-side) on logout and timeout, and where supported rotating or invalidating session IDs on context or privilege change; the trade-off is more frequent logins for users and possible disruption to long-running automation sessions. Restricting network access to the management interfaces to trusted users and networks further limits who can attempt to replay stale tokens.
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210374
GHSA-85r2-j732-h557