CWE-298
Improper Validation of Certificate Expiration
Common consequences2
- IntegrityOtherOther
The data read from the system vouched for by the expired certificate may be flawed due to malicious spoofing.
- AuthenticationOtherOther
Trust may be assigned to certificates that have been abandoned due to age.
Potential mitigations2
- Architecture and Design
Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.
- Implementation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the expiration.
CVEs referencing this CWE7
| CVE | Description | Severity | EPSS | Flags | Modified |
|---|---|---|---|---|---|
| CVE-2022-31145 | FlyteAdmin is the control plane for Flyte responsible for managing entities and administering workflow executions. In versions 1.1.30 and prior, authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire. Users who use FlyteAdmin as the OAuth2 Authorization Server are unaffected by this issue. A patch is available on the `master` branch of the repository. As a workaround, rotating signing keys immediately will invalidate all open sessions and force all users to attempt to obtain new tokens. Those who use this workaround should continue to rotate keys until FlyteAdmin has been upgraded and hide FlyteAdmin deployment ingress URL from the internet. | MEDIUM6.5 | 0.74%p50 | 2025-04-23 | |
| CVE-2023-42446 | Pow is a authentication and user management solution for Phoenix and Plug-based apps. Starting in version 1.0.14 and prior to version 1.0.34, use of `Pow.Store.Backend.MnesiaCache` is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A session may expire when all `Pow.Store.Backend.MnesiaCache` instances have been shut down for a period that is longer than a session's remaining TTL. Version 1.0.34 contains a patch for this issue. As a workaround, expired keys, including all expired sessions, can be manually invalidated. | MEDIUM6.5 | 0.45%p36 | 2024-11-21 | |
| CVE-2025-67109 | Improper verification of the time certificate in Eclipse Cyclone DDS before v0.10.5 allows attackers to bypass certificate checks and execute commands with System privileges. | CRITICAL10.0 | 0.30%p21 | 2026-01-06 | |
| CVE-2025-67108 | eProsima Fast-DDS v3.3 was discovered to contain improper validation for ticket revocation, resulting in insecure communications and connections. | CRITICAL10.0 | 0.30%p21 | 2026-01-02 | |
| CVE-2025-59036 | Infrahub offers a central hub to manage data, templates, and playbooks. Prior to versiond 1.3.9 and 1.4.5, a bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully. This issue is fixed in versions 1.3.9 and 1.4.5. As a workaround, users can delete or deactivate the account associated with a deleted API token to prevent that token from authenticating. | MEDIUM5.5 | 0.18%p7 | 2026-04-15 | |
| CVE-2025-4384 | The MQTT add-on of PcVue fails to verify that a remote device’s certificate has not already expired or has not yet become valid. This allows malicious devices to present certificates that are not rejected properly. The use of a client certificate reduces the risk for random devices to take advantage of this flaw. | NONE | 0.11%p1 | 2026-04-15 | |
| CVE-2025-61736 | Successful exploitation of this vulnerability could result in the product failing to re-establish communication once the certificate expires. | NONE | 0.09%p1 | 2026-04-15 |