Description
A Session Fixation vulnerability existed in Payload’s SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), and then delete the account, which did not invalidate the JWT.
Recommendation
Update the payload package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.44.0
- Patched version(s): 3.44.0
References
Related Issues
- Payload's SQLite adapter Session Fixation vulnerability - CVE-2025-4644
- Payload's SQLite adapter Session Fixation vulnerability - @payloadcms/next - CVE-2025-4644
- Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint - CVE-2025-65019
- @perfood/couch-auth may expose session tokens, passwords - CVE-2025-60794
You might also like:
- Tags:
- npm
- payload
Anything's wrong? Let us know Last updated on August 29, 2025


