Full Report
CERT Polska has received a report about 2 vulnerabilities (CVE-2025-4643 and CVE-2025-4644).
Analysis Summary
This summary covers the two vulnerabilities reported in Payload CMS software, as detailed by CERT Polska.
---
# Vulnerability: Insufficient Session Expiration and Session Fixation in Payload CMS
## CVE Details (CVE-2025-4643)
- CVE ID: CVE-2025-4643
- CVSS Score: *Score not provided in text, assumed unknown*
- CWE: CWE-613 (Insufficient Session Expiration)
## Affected Systems
- Products: Payload CMS
- Versions: All versions before 3.44.0
- Configurations: General usage of JWT-based authentication.
## Vulnerability Description (CVE-2025-4643)
Payload utilizes JSON Web Tokens (JWT) for authentication. The vulnerability stems from the fact that when a user logs out, their JWT is **not invalidated**. This allows an attacker who has previously stolen or intercepted a valid token to reuse it for authentication until its default expiration time (2 hours, though configurable) is reached.
## Exploitation
- Status: *Not explicitly stated, assumed not exploited in the wild*
- Complexity: *Not explicitly stated*
- Attack Vector: *Not explicitly stated, likely Network/Adjacent*
## Impact
- Confidentiality: High (Due to persistent token reuse)
- Integrity: High (Due to persistent token reuse)
- Availability: *Not explicitly stated*
## Remediation
### Patches
- Payload version **3.44.0** and later.
### Workarounds
- *No specific workarounds listed, but advised to update immediately.*
## Detection
- *No specific detection methods or IoCs provided in the source text.*
## References
- Vendor advisory: See Payload documentation (implied fix in 3.44.0)
- Relevant links - defanged: https://cert.pl/en/news/, https://www.cve.org/CVERecord?id=CVE-2025-4643
---
# Vulnerability: Session Fixation via JWT Reuse in Payload CMS SQLite Adapter
## CVE Details (CVE-2025-4644)
- CVE ID: CVE-2025-4644
- CVSS Score: *Score not provided in text, assumed unknown*
- CWE: CWE-384 (Session Fixation)
## Affected Systems
- Products: Payload CMS (specifically using the SQLite adapter)
- Versions: All versions before 3.44.0
- Configurations: Usage of the SQLite adapter for user account management.
## Vulnerability Description (CVE-2025-4644)
This vulnerability exists in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could:
1. Create a new account.
2. Save the resulting JSON Web Token (JWT) assigned to that account.
3. Delete the newly created account.
4. When a *new, legitimate user* creates an account, the system reuses the identifier previously associated with the deleted account, effectively assigning the victim the JWT previously stolen by the attacker.
The attacker can then use the stolen JWT to authenticate as or on behalf of the newly created victim user.
## Exploitation
- Status: *Not explicitly stated, assumed not exploited in the wild*
- Complexity: *Not explicitly stated, likely Medium/High to coordinate account creation/deletion*
- Attack Vector: *Network/Adjacent*
## Impact
- Confidentiality: High (Authentication bypass/impersonation)
- Integrity: High (Authentication bypass/impersonation)
- Availability: *Not explicitly stated*
## Remediation
### Patches
- Payload version **3.44.0** and later.
### Workarounds
- *No specific workarounds listed, but advised to update immediately.*
## Detection
- *No specific detection methods or IoCs provided in the source text.*
## References
- Vendor advisory: See Payload documentation (implied fix in 3.44.0)
- Relevant links - defanged: https://cert.pl/en/news/, https://www.cve.org/CVERecord?id=CVE-2025-4644