Cyber Posture

CVE-2025-56643

Critical

Published: 18 November 2025

Published
18 November 2025
Modified
31 December 2025
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0013 31.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out. As a result, previously issued tokens remain valid and can be reused to access the system, even after logout. This behavior affects session…

more

integrity and may allow unauthorized access if a token is compromised. The issue is present in the authentication resolver logic and affects both the GraphQL endpoint and the logout mechanism.

Mitigating Controls (NIST 800-53 r5)AI

AC-12 Session Termination good match
prevent

Directly requires termination of user sessions upon logout or defined conditions, preventing reuse of JWT tokens that fail to invalidate post-logout.

IA-5 Authenticator Management good match
prevent

Mandates management and revocation of authenticators such as JWT tokens when users log out, addressing the core flaw in token invalidation.

SC-23 Session Authenticity partial match
prevent

Protects communications session authenticity against risks like token replay or persistence, mitigating unauthorized access via compromised JWT tokens.

Security SummaryAI

CVE-2025-56643 is a critical vulnerability in Requarks Wiki.js version 2.5.307, where the application does not properly revoke or invalidate active JWT tokens upon user logout. As a result, previously issued tokens remain valid and can be reused to access the system even after logout, undermining session integrity and enabling potential unauthorized access if a token is compromised. The flaw exists in the authentication resolver logic and impacts both the GraphQL endpoint and the logout mechanism. It is associated with CWE-613 and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to network accessibility, low complexity, and no privileges or user interaction required.

Any network-based attacker can exploit this vulnerability without privileges or user interaction by obtaining a valid JWT token, such as through interception, theft, or prior compromise. With the token in hand, the attacker can authenticate and access protected resources indefinitely, bypassing the logout process and maintaining unauthorized persistence in the system. This leads to high impacts on confidentiality and integrity, allowing data exfiltration, modification, or other malicious actions under the victim's session context.

Mitigation guidance and additional details are available in the advisory referenced at https://github.com/0xBS0D27/CVE-2025-56643, published on 2025-11-18.

Details

CWE(s)
CWE-613

Affected Products

requarks
wiki.js
2.5.307

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
attack.mitre.org →
Why these techniques?

The improper JWT token invalidation on logout enables reuse of compromised tokens for unauthorized access, facilitating Valid Accounts (T1078), exploitation of the public-facing Wiki.js application (T1190), and use of stolen web session tokens as alternate authentication material (T1550.004).

References