reset links aren't invalidated after they are used

[g-k]

As far as I can tell, password reset links aren't invalidated or expired after they are used:

The reset token is equivalent to a password since it allows anyone who knows it to set a new password. Invalidating the reset token after it is used limits the duration of its validity, which is particularly important for long expiration windows like the 2 day default for this package.

Of course, by all means, once a user's password has been reset, the randomly-generated token should no longer be valid.

https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet#Step_3.29_Send_a_Token_Over_a_Side-Channel (end of paragraph)

[steven-mercatante]

This is a major issue.

[prafulbagai]

Any plans on fixing this issue?