Vulnerability Description
Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed). This issue has been fixed in version 3.44.0 of Payload.
Related Weaknesses (CWE)
References
- https://cert.pl/en/posts/2025/08/CVE-2025-4643
- https://github.com/payloadcms/payload
- https://payloadcms.com
FAQ
What is CVE-2025-4643?
CVE-2025-4643 is a documented vulnerability. Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (whic...
How severe is CVE-2025-4643?
CVSS scoring is not yet available for CVE-2025-4643. Check NVD for updates.
Is there a patch for CVE-2025-4643?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.