CVE-2025-53642 is a medium-severity vulnerability affecting haxtheweb's HAXcms backend implementations, specifically haxcms-nodejs and haxcms-php versions prior to 11.0.6. The core issue is insufficient session expiration, classified under CWE-613. When a user logs out, the application fails to properly terminate the session or clear authentication cookies. Moreover, it paradoxically issues a refresh token upon logout, which should not occur. This behavior allows an attacker who gains access to the user's session tokens or cookies to continue using them even after the user believes they have logged out, potentially maintaining unauthorized access. The vulnerability has a CVSS 3.1 base score of 4.8, reflecting a network attack vector with high attack complexity, no privileges required, and no user interaction needed. The impact primarily affects confidentiality and integrity, as unauthorized users could hijack sessions or perform actions on behalf of legitimate users. Availability is not impacted. The vulnerability is fixed in version 11.0.6 of the affected products. No known exploits are currently reported in the wild. The vulnerability arises from improper session management logic in the logout function, which is a critical component of secure authentication workflows. This flaw could be exploited remotely over the network without authentication, but requires a relatively complex attack scenario, such as intercepting or stealing tokens. The issuance of a refresh token on logout is a significant design flaw that undermines session invalidation mechanisms.

For European organizations using HAXcms with the vulnerable backends, this vulnerability poses a risk of unauthorized access persistence after logout, potentially leading to data leakage or unauthorized modifications within the CMS environment. Confidential information managed through HAXcms could be exposed or altered by attackers who exploit stale sessions. This is particularly concerning for organizations handling sensitive or regulated data under GDPR, where unauthorized data access can lead to compliance violations and financial penalties. The medium severity and lack of known exploits reduce immediate risk, but the vulnerability could be leveraged in targeted attacks or combined with other weaknesses. The persistence of sessions after logout undermines user trust and security hygiene, increasing the attack surface for insider threats or external attackers who have obtained session tokens. The impact is more pronounced in environments where session tokens are transmitted over insecure channels or where endpoint security is weak. Since availability is unaffected, the primary concerns are confidentiality and integrity of data and user actions within the CMS.

European organizations should promptly upgrade all instances of haxcms-nodejs and haxcms-php to version 11.0.6 or later, where the vulnerability is fixed. Until upgrading, organizations should implement compensating controls such as enforcing short session lifetimes and server-side session invalidation mechanisms independent of the application logout function. Monitoring and logging of session token usage can help detect anomalous reuse of tokens after logout. Employing secure cookie attributes (HttpOnly, Secure, SameSite) and ensuring all communications occur over TLS will reduce the risk of token interception. Additionally, organizations should review their token issuance policies to prevent refresh tokens from being issued on logout events. Conducting security audits of session management logic and educating developers on secure logout implementations can prevent similar issues. Finally, organizations should consider implementing multi-factor authentication to reduce the impact of compromised sessions.