CVE-2025-4643

Lack of JWT Expiration after Log Out in PayloadCMS

Description

Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed). This issue has been fixed in version 3.44.0 of Payload.

Category

6.3
CVSS
Severity: Medium
CVSS 4.0 •
EPSS 0.06%
Third-Party Advisory cert.pl
Affected: Payload CMS Payload
Published at:
Updated at:

References

Link Tags
https://cert.pl/en/posts/2025/08/CVE-2025-4643 third party advisory
https://payloadcms.com product
https://github.com/payloadcms/payload product

Frequently Asked Questions

What is the severity of CVE-2025-4643?
CVE-2025-4643 has been scored as a medium severity vulnerability.
How to fix CVE-2025-4643?
To fix CVE-2025-4643, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-4643 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-4643 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-4643?
CVE-2025-4643 affects Payload CMS Payload.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.