Password Reset Link Not Expiring After Multiple Requests

[sravani-dot]

Password reset links generated after multiple requests do not expire as expected.

Description:
When a user requests a password reset multiple times, the first password reset link remains valid and can still be used, even though subsequent links are generated. This creates a security vulnerability, as older reset links should be invalidated upon the generation of a new link.

Steps to Reproduce:
Navigate to the application login page.
Click on the First Login
I t Will Give Default Password LInk
Click On Multiple Time s Or Do Some Rate Limit
Enter a valid email address and request a password reset link(Link 1).
Without using Link 1, request another password reset link (Link 2).
Attempt to reset the password using Link 1 after Link 2 has been generated.

Expected Result:
Link 1 should expire and become invalid after Link 2 is generated.

Actual Result:
Link 1 remains valid and can still be used to reset the password, despite subsequent links being generated.

Impact:
Security Risk: Older reset links can be exploited if intercepted, compromising user accounts.
User Experience: This behavior may confuse users who assume older links are invalidated.

Proposed Fix:
Ensure all previously generated password reset links are invalidated when a new reset link is generated for the same user
Add a validation check in the backend to reject any older links automatically.

POC Attached
I hope I Will Get Response As Soon As Possible

bandicam.2024-12-08.11-53-13-349.mp4