CVE-2025-4644
BaseFortify
Publication date: 2025-08-29
Last updated on: 2025-08-29
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| payload | cms | 3.44.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-384 | Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Session Fixation issue in Payload CMS's SQLite adapter caused by identifier reuse during account creation. An attacker can create a new account, save its JSON Web Token (JWT), then delete the account without invalidating the JWT. When a new user is created, they might receive the same identifier, allowing the attacker to reuse the saved JWT to authenticate as that new user and perform actions on their behalf. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to impersonate a legitimate user by reusing a previously obtained JWT. This unauthorized access could enable the attacker to perform actions as the victim user, potentially leading to data breaches, unauthorized changes, or other malicious activities within the affected system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for reuse of JSON Web Tokens (JWTs) associated with deleted accounts or by checking for repeated user identifiers during account creation in Payload CMS versions prior to 3.44.0. Since the vulnerability involves JWT reuse after account deletion, inspecting logs for authentication attempts using JWTs that correspond to deleted accounts may help. Specific commands are not provided in the resources, but general approaches include analyzing Payload CMS logs for JWT reuse patterns and verifying user identifiers in the SQLite database for duplication after account deletion. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Payload CMS to version 3.44.0 or later, where the issue has been fixed. Until the upgrade can be applied, consider monitoring and invalidating JWTs associated with deleted accounts manually if possible, and restrict account creation and deletion activities to trusted users to reduce exploitation risk. [1]