Back to search
CVE-2025-4643
Published: Aug 29, 2025
Modified: Aug 29, 2025
PUBLISHED
Description
Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed). This issue has been fixed in version 3.44.0 of Payload.
| Vendor | Product | Versions |
|---|---|---|
Payload CMS | Payload | affected 0 - < 3.44.0 |
Weaknesses (CWE)
References
https://cert.pl/en/posts/2025/08/CVE-2025-4643
third-party-advisory
https://payloadcms.com
product
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now