
We found results for “”
CVE-2025-4643
Good to know:

Date: August 29, 2025
Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed). This issue has been fixed in version 3.44.0 of Payload.
Severity Score
Related Resources (6)
Severity Score
Weakness Type (CWE)
Insufficient Session Expiration
CWE-613Top Fix

Upgrade Version
Upgrade to version payload - 3.44.0;@payloadcms/next - 3.44.0;@payloadcms/graphql - 3.44.0
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | HIGH |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | LOW |
Integrity (I): | LOW |
Availability (A): | NONE |