Authentication Vulnerability in Payload by Payload CMS
CVE-2025-4643

6.3MEDIUM

Key Information:

Vendor

Payload Cms

Status
Payload
Vendor
CVE Published:
29 August 2025

What is CVE-2025-4643?

The Payload CMS has a security vulnerability that allows an attacker to exploit JSON Web Tokens (JWT) for authentication purposes. After a user logs out, the JWT remains valid and is not invalidated, enabling unauthorized access through token reuse until the token's expiration date. This vulnerability is particularly concerning as the default expiration time is set to 2 hours, making it critical for users to update to version 3.44.0 or later to mitigate these risks. For more detailed guidance, refer to the official documentation.

Affected Version(s)

Payload 0 < 3.44.0

References

https://cert.pl/en/posts/2025/08/CVE-2025-4643
third-party-advisory
https://payloadcms.com
product
https://github.com/payloadcms/payload
product

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Arkadiusz Marta
.
CVE-2025-4643 : Authentication Vulnerability in Payload by Payload CMS