CVE-2025-56643

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-56643

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-56643.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-56643

Published

2025-11-18T18:16:07.647Z

Modified

2026-03-13T03:39:05.074075Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out. As a result, previously issued tokens remain valid and can be reused to access the system, even after logout. This behavior affects session integrity and may allow unauthorized access if a token is compromised. The issue is present in the authentication resolver logic and affects both the GraphQL endpoint and the logout mechanism.

References

https://github.com/0xBS0D27/CVE-2025-56643

Affected packages

Git / github.com/requarks/wiki

Affected ranges

Type

GIT

Repo

https://github.com/requarks/wiki

Events

Introduced

Last affected

78c41e36e121b10342288e3606f54da4d6899004

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.5.307"
        }
    ]
}

Affected versions

2.*

2.0.0-beta.11

2.0.0-beta.115

2.0.0-beta.147

2.0.0-beta.148

2.0.0-beta.174

2.0.0-beta.180

2.0.0-beta.203

2.0.0-beta.208

2.0.0-beta.230

2.0.0-beta.241

2.0.0-beta.267

2.0.0-beta.268

2.0.0-beta.275

2.0.0-beta.303

2.0.0-beta.42

2.0.0-beta.68

2.0.0-beta.84

2.0.0-beta.91

2.0.0-rc.1

2.0.0-rc.17

2.0.1

2.0.12

2.1.113

2.2.50

2.2.51

2.3.71

2.3.72

2.3.77

2.4.105

2.4.107

2.4.75

2.5.105

2.5.117

2.5.121

2.5.126

2.5.132

2.5.136

2.5.144

2.5.159

2.5.170

2.5.191

2.5.197

2.5.201

2.5.214

2.5.219

2.5.254

2.5.255

2.5.260

2.5.264

2.5.268

2.5.272

2.5.274

v1.*

v1.0-alpha.1

v1.0-alpha.2

v1.0-alpha.3

v1.0-alpha.4

v1.0-alpha.5

v1.0-alpha.6

v1.0-alpha.7

v1.0-beta.1

v1.0-beta.2

v1.0-beta.3

v1.0-beta.4

v1.0-beta.5

v1.0.0-beta.10

v1.0.0-beta.11

v1.0.0-beta.12

v1.0.0-beta.13

v1.0.0-beta.6

v1.0.0-beta.7

v1.0.0-beta.8

v1.0.0-beta.9

v1.0.1

v1.0.10

v1.0.11

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.0.7

v1.0.8

v1.0.9

v2.*

v2.5.275

v2.5.276

v2.5.277

v2.5.278

v2.5.279

v2.5.280

v2.5.281

v2.5.282

v2.5.283

v2.5.284

v2.5.285

v2.5.286

v2.5.287

v2.5.288

v2.5.289

v2.5.290

v2.5.291

v2.5.292

v2.5.293

v2.5.294

v2.5.295

v2.5.296

v2.5.297

v2.5.298

v2.5.299

v2.5.300

v2.5.301

v2.5.302

v2.5.303

v2.5.304

v2.5.305

v2.5.306

v2.5.307

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-56643.json"