| CVE ID | CVE-2025-4643 |
| Publication date | 29 August 2025 |
| Vendor | Payload CMS |
| Product | Payload |
| Vulnerable versions | All before 3.44.0 |
| Vulnerability type (CWE) | Insufficient Session Expiration (CWE-613) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2025-4644 |
| Publication date | 29 August 2025 |
| Vendor | Payload CMS |
| Product | Payload |
| Vulnerable versions | All before 3.44.0 |
| Vulnerability type (CWE) | Session Fixation (CWE-384) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerabilities in Payload CMS software and participated in coordination of their disclosure.
The vulnerability CVE-2025-4643: Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed).
The vulnerability CVE-2025-4644: A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), and then delete the account, which did not invalidate the JWT. As a result, the next newly created user would receive the same identifier, allowing the attacker to reuse the JWT to authenticate and perform actions as that user.
These issues have been fixed in version 3.44.0 of Payload.
Credits
We thank Arkadiusz Marta for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.