Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out. As a result, previously issued tokens remain valid and can be reused to access the system, even after logout. This behavior affects session integrity and may allow unauthorized access if a token is compromised. The issue is present in the authentication resolver logic and affects both the GraphQL endpoint and the logout mechanism.
{
"cna_assigner": "mitre",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/56xxx/CVE-2025-56643.json"
}