PT-2025-35200 · Pyload · Pyload

Arkadiusz Marta

·

Publicado

2025-08-29

·

Atualizado

2025-08-29

·

CVE-2025-4643

CVSS v4.0

6.3

Média

VetorAV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Payload versions prior to 3.44.0
Description Payload utilizes JSON Web Tokens (JWT) for authentication. Following a user logout, the JWT is not invalidated, enabling an attacker who has obtained a valid token—through theft or interception—to reuse it until its expiration date. The default expiration date is two hours, but this duration is configurable.
Recommendations Update to version 3.44.0 or later.

Correção

Insufficient Session Expiration

Session Fixation

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-613CWE-384

Identificadores relacionados

CVE-2025-4643
GHSA-26RV-H2HF-3FW4
GHSA-5V66-M237-HWF7

Produtos afetados

Pyload