Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed).

This issue has been fixed in version 3.44.0 of Payload.
History

Tue, 02 Sep 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Payloadcms
Payloadcms payload
Vendors & Products Payloadcms
Payloadcms payload

Fri, 29 Aug 2025 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 29 Aug 2025 10:15:00 +0000

Type Values Removed Values Added
Description Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed). This issue has been fixed in version 3.44.0 of Payload.
Title Lack of JWT Expiration after Log Out in PayloadCMS
Weaknesses CWE-613
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2025-08-29T11:54:27.895Z

Reserved: 2025-05-13T07:10:07.627Z

Link: CVE-2025-4643

cve-icon Vulnrichment

Updated: 2025-08-29T11:54:24.535Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-08-29T10:15:30.880

Modified: 2025-08-29T16:24:29.730

Link: CVE-2025-4643

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-09-02T15:23:34Z