Payload's SQLite adapter Session Fixation vulnerability (GHSA-26rv-h2hf-3fw4) 2
- Severity:
- Medium
Description
A Session Fixation vulnerability existed in Payload’s SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), and then delete the account, which did not invalidate the JWT.
Recommendation
Update the payload package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.44.0
- Patched version(s): 3.44.0
References
Related Issues
- Regular Expression Denial of Service (ReDoS) in lodash (GHSA-29mw-wpgm-hmr9) 3 - CVE-2020-28500
- Regular Expression Denial of Service (ReDoS) in lodash (GHSA-x5rq-j2xg-h7qm) - CVE-2019-1010266
- Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages - CVE-2025-59417
- Payload does not invalidate JWTs after log out (GHSA-5v66-m237-hwf7) 2 - CVE-2025-4643
- Tags:
- npm
- payload
Anything's wrong? Let us know Last updated on August 29, 2025