Public reference for CVE-2025-56643 – Wiki.js 2.5.307 JWT Session Vulnerability# CVE-2025-56643
Public reference for CVE-2025-56643 – Wiki.js 2.5.307 JWT Session Vulnerability
**Description:**
Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out.
As a result, previously issued tokens remain valid and can be reused to access the system even after logout.
This behavior affects session integrity and may allow unauthorized access if a token is compromised.
The issue is present in the authentication resolver logic and affects both the GraphQL endpoint and logout mechanism.
**Affected Product:**
Wiki.js – version 2.5.307
**Affected Component:**
GraphQL API endpoint (`/graphql`), Authentication module, JWT session management, logout logic (UI and backend).
**Impact:**
Allows reuse of previously issued JWT tokens after logout, compromising session validity and user authentication.
**Vulnerability Type:**
CWE-613: Insufficient Session Expiration
**Attack Vector:**
Remote – An attacker with access to a previously issued token can continue using it after logout to perform authenticated actions.
**Discoverer:**
Patrick C. Luis Miguel Pazmiño Ali MS.
**Reference:**
- [CVE-2025-56643 (MITRE Record)](https://www.cve.org/CVERecord?id=CVE-2025-56643)
- [Wiki.js Official Site](https://js.wiki)
[4.0K] /data/pocs/00743c812df0d6eb2bf48b5910d6d94be95a3d2c
└── [1.3K] README.md
1 directory, 1 file