Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed).
This issue has been fixed in version 3.44.0 of Payload.
This issue has been fixed in version 3.44.0 of Payload.
Metrics
Affected Vendors & Products
References
History
Tue, 02 Sep 2025 15:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Payloadcms
Payloadcms payload |
|
Vendors & Products |
Payloadcms
Payloadcms payload |
Fri, 29 Aug 2025 12:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Fri, 29 Aug 2025 10:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed). This issue has been fixed in version 3.44.0 of Payload. | |
Title | Lack of JWT Expiration after Log Out in PayloadCMS | |
Weaknesses | CWE-613 | |
References |
| |
Metrics |
cvssV4_0
|

Status: PUBLISHED
Assigner: CERT-PL
Published:
Updated: 2025-08-29T11:54:27.895Z
Reserved: 2025-05-13T07:10:07.627Z
Link: CVE-2025-4643

Updated: 2025-08-29T11:54:24.535Z

Status : Awaiting Analysis
Published: 2025-08-29T10:15:30.880
Modified: 2025-08-29T16:24:29.730
Link: CVE-2025-4643

No data.

Updated: 2025-09-02T15:23:34Z