CVE-2025-4643

Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed).

This issue has been fixed in version 3.44.0 of Payload.

Published: Aug 29, 2025
Updated: Aug 30, 2025
CVE: CVE-2025-4643
GHSA: GHSA-5v66-m237-hwf7
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-613

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
payload	-	3.44.0
@payloadcms / next	-	3.44.0
@payloadcms / graphql	-	3.44.0

https://cert.pl/en/posts/2025/08/CVE-2025-4643
https://github.com/payloadcms/payload/commit/26d709dda6e512ce347557eaa2057db6e0cbf809

Vulnerability Database

CVE-2025-4643