Overview
CVE-2025-56643 identifies a critical security vulnerability within Requarks Wiki.js version 2.5.307. The flaw stems from the application’s failure to properly revoke or invalidate JSON Web Tokens (JWTs) upon user logout. This means that previously issued tokens remain active and can be potentially reused to gain unauthorized access to the system, even after a user has explicitly logged out. This poses a significant risk to session integrity and data security.
Technical Details
The core issue lies within the authentication resolver logic of Wiki.js. Specifically, when a user logs out, the application does not implement a mechanism to actively invalidate or blacklist the existing JWT associated with that session. This failure affects both the GraphQL endpoint used by the application and the logout mechanism itself. The lack of revocation means that if an attacker were to compromise a JWT (e.g., through network sniffing, cross-site scripting (XSS), or other means) before the user logs out, that token would remain valid indefinitely until its natural expiration, granting the attacker persistent access even after the legitimate user has terminated their session.
The problem can be described as following:
- User authenticates to Wiki.js and receives a valid JWT.
- User logs out of Wiki.js.
- Wiki.js does not invalidate the JWT issued in step 1.
- An attacker in possession of the JWT from step 1 can still use it to access Wiki.js resources as the logged-out user.
CVSS Analysis
Currently, a CVSS score is not available for CVE-2025-56643. However, based on the nature of the vulnerability, it is likely to receive a high severity rating. The potential for unauthorized access and compromise of user accounts significantly increases the risk associated with this flaw. A full CVSS analysis will likely be published as more information becomes available.
It is crucial to understand that a missing CVSS score *does not* diminish the severity of the problem. The ability to reuse valid tokens after logout constitutes a serious security lapse.
Possible Impact
The consequences of this vulnerability can be severe:
- Unauthorized Access: Attackers can gain unauthorized access to user accounts by reusing compromised JWTs even after the legitimate user has logged out.
- Data Breach: If an attacker gains access to an account, they may be able to access sensitive information stored within the Wiki.js instance.
- Account Takeover: In some cases, an attacker could potentially use the compromised account to modify or delete content, potentially disrupting operations or causing reputational damage.
- Lateral Movement: Depending on the privileges associated with the compromised account, an attacker might be able to leverage the access to move laterally within the network and access other systems.
Mitigation or Patch Steps
The primary mitigation step is to upgrade to a patched version of Wiki.js that addresses this vulnerability. Requarks has been notified and is expected to release a security update. In the interim, consider the following:
- Monitor for Updates: Regularly check the official Wiki.js website and GitHub repository for security updates and announcements.
- Shorten JWT Expiration Times: While not a complete fix, reducing the expiration time of JWTs can limit the window of opportunity for attackers to exploit compromised tokens. Consult the Wiki.js documentation for instructions on configuring JWT expiration.
- Implement Session Management: Consider using a session management solution to explicitly track and invalidate user sessions on logout. This would require custom development and integration with the existing Wiki.js authentication system.
- Web Application Firewall (WAF) Rules: Configure your WAF to detect and block suspicious activity related to JWTs, such as attempts to reuse tokens from logged-out sessions (this is difficult to implement effectively without generating false positives).
