CVE-2025-4643 is a security vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting Payload CMS, a content management system that uses JSON Web Tokens (JWT) for authentication. The core issue lies in the improper invalidation of JWTs upon user logout. Normally, when a user logs out, their authentication token should be invalidated to prevent reuse. However, in affected versions of Payload CMS prior to 3.44.0, the JWT remains valid until its natural expiration, which by default is set to two hours but can be configured differently. This means that if an attacker manages to steal or intercept a JWT—through methods such as man-in-the-middle attacks, cross-site scripting, or local system compromise—they can reuse the token to impersonate the legitimate user and access the system without needing to re-authenticate. The vulnerability does not require user interaction, privileges, or authentication to exploit, but the attacker must have obtained the token through some means. The CVSS 4.0 base score is 6.3 (medium severity), reflecting network attack vector, high attack complexity, no privileges required, no user interaction, and low impact on confidentiality and integrity. The vulnerability has been fixed in Payload CMS version 3.44.0 by implementing proper session invalidation on logout, ensuring that tokens cannot be reused after logout. No known exploits are reported in the wild as of the publication date.

For European organizations using Payload CMS, this vulnerability poses a significant risk to the confidentiality and integrity of their web applications and data. Attackers who obtain valid JWTs can impersonate users, potentially gaining unauthorized access to sensitive content, administrative functions, or user data. This can lead to data breaches, unauthorized content modification, or disruption of services. Since Payload CMS is often used for managing web content, compromised sessions could allow attackers to inject malicious content or deface websites, damaging organizational reputation. The medium severity rating indicates that while the vulnerability is not trivially exploitable, the impact of successful exploitation can be substantial. European organizations in sectors such as media, education, government, and e-commerce that rely on Payload CMS for their web presence are particularly at risk. Additionally, the GDPR framework in Europe mandates strict data protection; a breach resulting from this vulnerability could lead to regulatory penalties and loss of customer trust.

European organizations should immediately verify the version of Payload CMS in use and upgrade to version 3.44.0 or later where the vulnerability is patched. Beyond upgrading, organizations should implement additional security controls: 1) Enforce short JWT expiration times to limit token reuse windows. 2) Implement token revocation lists or maintain server-side session state to invalidate tokens on logout or suspicious activity. 3) Use secure transport layers (TLS) to prevent token interception. 4) Employ multi-factor authentication to reduce the impact of token theft. 5) Monitor logs for unusual token usage patterns indicative of session hijacking. 6) Educate users and administrators about secure session management and token handling. 7) Consider implementing HTTP-only and secure cookie flags if tokens are stored in cookies to reduce client-side exposure. These measures collectively reduce the risk of token theft and unauthorized reuse beyond the patch itself.