Payload's SQLite adapter Session Fixation vulnerability (GHSA-26rv-h2hf-3fw4) 2

Severity:: Medium

Description

A Session Fixation vulnerability existed in Payload’s SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), and then delete the account, which did not invalidate the JWT.

Recommendation

Update the payload package to the latest compatible version. Followings are version details:

Affected version(s): < 3.44.0
Patched version(s): 3.44.0

References

GHSA-26rv-h2hf-3fw4
cert.pl
CVE-2025-4644
CWE-384
CAPEC-310
OWASP 2021-A6
OWASP 2021-A7

Related Issues

Payload's SQLite adapter Session Fixation vulnerability (GHSA-26rv-h2hf-3fw4) - CVE-2025-4644
Payload's SQLite adapter Session Fixation vulnerability - CVE-2025-4644
Payload does not invalidate JWTs after log out (GHSA-5v66-m237-hwf7) - CVE-2025-4643
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint - CVE-2025-65019

Tags:: npm; payload

Anything's wrong? Let us know Last updated on August 29, 2025