CVE-2025-4643
6.3
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed).
This issue has been fixed in version 3.44.0 of Payload.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Payload CMS | Payload | 0 < 3.44.0 | affected |
Weaknesses
- CWE-613: CWE-613 Insufficient Session Expiration
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://cert.pl/en/posts/2025/08/CVE-2025-4643
- https://payloadcms.com
- https://github.com/payloadcms/payload
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.