CVE-2025-4643

CVSS v4.0

6.3

Medium

Vector

AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions Payload versions prior to 3.44.0

Description Payload utilizes JSON Web Tokens (JWT) for authentication. Following a user logout, the JWT is not invalidated, enabling an attacker who has obtained a valid token—through theft or interception—to reuse it until its expiration date. The default expiration date is two hours, but this duration is configurable.

Recommendations Update to version 3.44.0 or later.

Fix

Insufficient Session Expiration

Session Fixation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-613CWE-384

Related Identifiers

CVE-2025-4643

GHSA-26RV-H2HF-3FW4

GHSA-5V66-M237-HWF7

Affected Products

Pyload

CVE-2025-4643

Weakness Enumeration

Related Identifiers

Affected Products

References · 13