CVE-2025-51306
CVE-2025-51306
In short
When a user logs out of Gatling Enterprise (versions before 1.25.0), their session token remains valid and can still be used to access the application. This means logout doesn't actually end the user's access.
Technical detail
Gatling Enterprise prior to version 1.25.0 contains improper session invalidation (CWE-1259). The logout mechanism fails to expire or revoke the session token, allowing an authenticated attacker with a captured token to maintain unauthorized access even after the legitimate user logs out. Attack surface is limited to users with valid tokens and knowledge of the application.
Summary generated and translated by AI from the official description.
In Gatling Enterprise versions below 1.25.0, a user logging-out can still use his session token to continue using the application without expiration, due to incorrect session management.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://gatling.io/productshttps://github.com/Flo354/vulnerabilities/blob/main/gatling-enterprise/CVE-2025-51306-broken-logout.mdhttps://github.com/Flo354/vulnerabilities/blob/main/gatling-enterprise/CVE-2025-51306-change-permissions-not-reflected.mdhttps://github.com/Flo354/vulnerabilities/tree/main/gatling-enterprise