Miggo Logo
Miggo Vulnerability Database
CVE-2018-1000814

CVE-2018-1000814:
aiohttp-session creates non-expiring sessions

6.5

CVSS Score

Basic Information

CVE ID
CVE-2018-1000814
GHSA ID
GHSA-mr4x-c4v9-x729
EPSS Score
-
CWE
CWE-613
Published
12/20/2018
Updated
3/14/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
aiohttp-sessionpip<= 2.6.02.7.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper session expiration handling in the Session constructor. The pre-patch code in aiohttp_session/init.py didn't compare session age against max_age during initialization, allowing attackers to reuse expired cookies. The fix added an age check that nullifies session data when max_age is exceeded. This matches the CWE-613 description of insufficient session expiration and aligns with the commit diff showing the vulnerability was addressed in the Session initialization logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*io-li*s *io*ttp-s*ssion v*rsion *.*.* *n* **rli*r *ont*ins * Ot**r/Unknown vuln*r**ility in *n*rypt***ooki*Stor*** *n* N**l*ooki*Stor*** t**t **n r*sult in Non-*xpirin* s*ssions / In*init* li**sp*n. T*is *tt**k *pp**r to ** *xploit**l* vi* R**r**tio

Reasoning

T** vuln*r**ility st*ms *rom improp*r s*ssion *xpir*tion **n*lin* in t** S*ssion *onstru*tor. T** pr*-p*t** *o** in *io*ttp_s*ssion/__init__.py *i*n't *omp*r* s*ssion *** ***inst m*x_*** *urin* initi*liz*tion, *llowin* *tt**k*rs to r*us* *xpir** *ook