CVE-2025-4644
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-29

Last updated on: 2025-08-29

Assigner: CERT.PL

Description
A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), and then delete the account, which did not invalidate the JWT. As a result, the next newly created user would receive the same identifier, allowing the attacker to reuse the JWT to authenticate and perform actions as that user. This issue has been fixed in version 3.44.0 of Payload.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-29
Last Modified
2025-08-29
Generated
2026-06-16
AI Q&A
2025-08-29
EPSS Evaluated
2026-06-14
NVD
CVE-2025-4644
EUVD
EUVD-2025-26181
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
payload cms 3.44.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-384 Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Session Fixation issue in Payload CMS's SQLite adapter caused by identifier reuse during account creation. An attacker can create a new account, save its JSON Web Token (JWT), then delete the account without invalidating the JWT. When a new user is created, they might receive the same identifier, allowing the attacker to reuse the saved JWT to authenticate as that new user and perform actions on their behalf. [1]

Impact Analysis

This vulnerability can allow an attacker to impersonate a legitimate user by reusing a previously obtained JWT. This unauthorized access could enable the attacker to perform actions as the victim user, potentially leading to data breaches, unauthorized changes, or other malicious activities within the affected system. [1]

Detection Guidance

This vulnerability can be detected by monitoring for reuse of JSON Web Tokens (JWTs) associated with deleted accounts or by checking for repeated user identifiers during account creation in Payload CMS versions prior to 3.44.0. Since the vulnerability involves JWT reuse after account deletion, inspecting logs for authentication attempts using JWTs that correspond to deleted accounts may help. Specific commands are not provided in the resources, but general approaches include analyzing Payload CMS logs for JWT reuse patterns and verifying user identifiers in the SQLite database for duplication after account deletion. [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Payload CMS to version 3.44.0 or later, where the issue has been fixed. Until the upgrade can be applied, consider monitoring and invalidating JWTs associated with deleted accounts manually if possible, and restrict account creation and deletion activities to trusted users to reduce exploitation risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-4644. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart