CVE-2025-4643
BaseFortify
Publication date: 2025-08-29
Last updated on: 2025-08-29
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| payloadcms | payload | 3.44.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs because after a user logs out, the JSON Web Token (JWT) used for authentication is not invalidated. This means that if an attacker steals or intercepts the token, they can reuse it freely until it expires, which by default is 2 hours but can be changed.
How can this vulnerability impact me? :
An attacker who obtains a valid JWT can continue to access the system as the authenticated user until the token expires, potentially leading to unauthorized access and misuse of the user's privileges.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Payload to version 3.44.0 or later, where the issue has been fixed. Until then, consider reducing the JWT expiration time to minimize the window of token reuse and monitor for suspicious token reuse activity.