BLA5:2025 - Artifact Lifetime Exploitation (ALE)
Overview
Extended Resource Lifetime Exploitation is achieved by abusing one-time or short-lived resources such as tokens, sessions or temporary files that applications fail to expire or revoke after their intended use. Attackers can capture these still-valid artifacts and replay them to access sensitive operations or data. Unlike limit-overrun oracles, this category highlights stale or uninvalidated objects that remain usable beyond their expected lifecycle.
Root causes
APIs that generate disposable artifacts like OTPs, download links or session tokens must mark them consumed or expired after use. If the server neither deletes nor flags an artifact after its first use, anyone holding it can replay it. Without strict checks on artifact state transitions, for example from new to used to expired, these resources remain active and enable replay attacks.
Examples
Scenario #1: Sitefinity Session Replay
Progress Sitefinity versions 14.0-15.2.8429 do not properly expire session IDs under certain conditions, allowing reuse of old session credentials for authorization.
An attacker captures a valid session cookie via XSS or network sniffing and, even after the user logs out, replays that cookie to gain access to the application.
Scenario #2: Drupal OTP Replay
Drupal’s One Time Password module (versions < 1.3.0) implements an OTP‑based second factor by sending users a single‑use code via email or SMS. However, due to a capture-replay flaw, valid OTPs are never marked consumed, allowing attackers who intercept a code to reuse it within its lifetime and bypass authentication entirely.
Mapped CWEs
- CWE‑613: Insufficient Session Expiration
- CWE‑664: Improper Control of a Resource Through its Lifetime
- CWE‑459: Incomplete Cleanup
- CWE‑672: Operation on Resource after Expiration or Release
Related CVEs
- CVE-2025-1968
- CVE-2024-5658