Miggo Logo
Miggo Vulnerability Database
CVE-2025-4644

CVE-2025-4644: Payload's SQLite adapter Session Fixation vulnerability

N/A

CVSS Score

Basic Information

CVE ID
CVE-2025-4644
GHSA ID
GHSA-26rv-h2hf-3fw4
EPSS Score
0.10399%
CWE
CWE-384
Published
8/29/2025
Updated
8/29/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
payloadnpm< 3.44.03.44.0
@payloadcms/nextnpm< 3.44.03.44.0
@payloadcms/graphqlnpm< 3.44.03.44.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability, described as a Session Fixation issue in Payload's SQLite adapter, stems from the reuse of identifiers for newly created accounts after an old account is deleted. The core of the problem was the application's use of stateless JSON Web Tokens (JWTs) for authentication. These JWTs were tied only to a user ID. When an attacker created an account, obtained a JWT, and then deleted that account, the JWT remained cryptographically valid. Due to the ID reuse in SQLite, when a new user registered, they could be assigned the same ID as the deleted user. The attacker could then use their old, still-valid JWT to authenticate as this new, unrelated user.

The security patch addresses this fundamental design flaw by transitioning from stateless JWTs to a stateful, session-based authentication mechanism. My analysis of the commit 26d709dda6e512ce347557eaa2057db6e0cbf809 reveals the following key changes:

  1. Session Creation on Login: The loginOperation is updated to create a unique, server-side session for the user upon successful login. This session has its own unique ID (sid), which is then embedded into the JWT.

  2. Session Validation during Authentication: The JWTAuthentication strategy, which validates incoming requests, is modified to not only verify the JWT's signature but also to check that the sid within the token corresponds to an active session stored in the user's database record. If no active session is found for that sid, authentication fails, even if the token's signature is valid.

  3. Session Invalidation on Logout: The logoutOperation is enhanced to actively delete the session from the database. This server-side invalidation ensures that even if a JWT is compromised, it becomes useless the moment the user logs out.

This new session management system effectively mitigates the vulnerability. Even if a user ID is reused, an old JWT is useless because its associated session ID (sid) would have been deleted from the database either upon logout or when the original user account was deleted. The identified vulnerable functions (loginOperation, JWTAuthentication, logoutOperation) are the core components of the authentication flow whose previous, stateless logic enabled this vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* S*ssion *ix*tion vuln*r**ility *xist** in P*ylo**'s SQLit* ***pt*r *u* to i**nti*i*r r*us* *urin* ***ount *r**tion. * m*li*ious *tt**k*r *oul* *r**t* * n*w ***ount, s*v* its JSON W** Tok*n (JWT), *n* t**n **l*t* t** ***ount, w*i** *i* not inv*li**t

Reasoning

T** vuln*r**ility, **s*ri*** *s * S*ssion *ix*tion issu* in P*ylo**'s SQLit* ***pt*r, st*ms *rom t** r*us* o* i**nti*i*rs *or n*wly *r**t** ***ounts **t*r *n ol* ***ount is **l*t**. T** *or* o* t** pro*l*m w*s t** *ppli**tion's us* o* st*t*l*ss JSON