GHSA-5v66-m237-hwf7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5v66-m237-hwf7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-5v66-m237-hwf7/GHSA-5v66-m237-hwf7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5v66-m237-hwf7
- Aliases
-
- CVE-2025-4643
- Published
- 2025-08-29T12:31:11Z
- Modified
- 2025-08-29T17:42:18.920540Z
- Severity
-
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Payload does not invalidate JWTs after log out
- Details
-
Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed).
This issue has been fixed in version 3.44.0 of Payload.
- Database specific
{ "severity": "MODERATE", "github_reviewed_at": "2025-08-29T16:57:54Z", "nvd_published_at": "2025-08-29T10:15:30Z", "cwe_ids": [ "CWE-613" ], "github_reviewed": true }- References
Affected packages
npm / payload
Package
- Name
- payload
- View open source insights on deps.dev
- Purl
- pkg:npm/payload
npm / @payloadcms/next
Package
- Name
- @payloadcms/next
- View open source insights on deps.dev
- Purl
- pkg:npm/%40payloadcms/next
npm / @payloadcms/graphql
Package
- Name
- @payloadcms/graphql
- View open source insights on deps.dev
- Purl
- pkg:npm/%40payloadcms/graphql