CVE-2025-4644 in Payload
Summary
by MITRE • 08/29/2025
A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), and then delete the account, which did not invalidate the JWT. As a result, the next newly created user would receive the same identifier, allowing the attacker to reuse the JWT to authenticate and perform actions as that user.
This issue has been fixed in version 3.44.0 of Payload.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/29/2025
The vulnerability described in CVE-2025-4644 represents a critical session fixation weakness within Payload's SQLite adapter implementation. This security flaw stems from improper identifier management during the account creation process, creating a persistent authentication risk that can be exploited by malicious actors. The vulnerability specifically affects the database adapter's handling of user identifiers, where the system fails to properly invalidate tokens when accounts are deleted, leading to potential credential reuse and unauthorized access.
The technical flaw manifests through a fundamental failure in session management where the SQLite adapter does not properly enforce unique identifier assignment. When an attacker creates an account, the system generates a JSON Web Token that becomes associated with a specific identifier. Upon deleting the account, the system does not invalidate the JWT, leaving it in a state where it can be reused by subsequent account creations. This identifier reuse pattern creates a direct pathway for attackers to impersonate legitimate users through token hijacking, as the next newly created user receives the same identifier that was previously associated with the deleted account.
This vulnerability has significant operational impact across multiple security domains, particularly affecting authentication systems and access control mechanisms. The flaw enables attackers to maintain persistent unauthorized access to user accounts, potentially leading to data breaches, privilege escalation, and unauthorized system modifications. From an attack perspective, this represents a sophisticated exploitation technique that leverages the fundamental weakness in identifier lifecycle management, allowing for prolonged unauthorized access without detection. The vulnerability directly violates security principles outlined in the OWASP Top Ten, specifically addressing authentication and session management weaknesses.
The fix implemented in Payload version 3.44.0 addresses the core issue through improved identifier management and token invalidation mechanisms. This update ensures that when accounts are deleted, associated JWTs are properly invalidated and cannot be reused by subsequent account creations. The mitigation strategy involves implementing proper identifier lifecycle management that prevents the reuse of identifiers from deleted accounts, thereby eliminating the session fixation vector. Organizations should immediately upgrade to version 3.44.0 or later to remediate this vulnerability and ensure proper authentication security controls are in place.
Security professionals should recognize this vulnerability as a prime example of improper session management as categorized under CWE-384, which deals with session fixation vulnerabilities. The attack pattern aligns with techniques documented in the MITRE ATT&CK framework under the credential access and privilege escalation domains, specifically targeting authentication bypass mechanisms. This vulnerability demonstrates how seemingly minor implementation flaws in database adapter components can create significant security risks, emphasizing the importance of comprehensive security testing and proper identifier management in authentication systems. The issue highlights the critical need for robust session lifecycle management and proper token invalidation procedures to prevent persistent unauthorized access.