Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-56643 PoC — wiki.js 安全漏洞

Source
https://github.com/0xBS0D27/CVE-2025-56643
Associated Vulnerability
Title:wiki.js 安全漏洞 (CVE-2025-56643)
Description:Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out. As a result, previously issued tokens remain valid and can be reused to access the system, even after logout. This behavior affects session integrity and may allow unauthorized access if a token is compromised. The issue is present in the authentication resolver logic and affects both the GraphQL endpoint and the logout mechanism.
Description
Public reference for CVE-2025-56643 – Wiki.js 2.5.307 JWT Session Vulnerability
Readme
# CVE-2025-56643
Public reference for CVE-2025-56643 – Wiki.js 2.5.307 JWT Session Vulnerability


**Description:**  
Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out.  
As a result, previously issued tokens remain valid and can be reused to access the system even after logout.  
This behavior affects session integrity and may allow unauthorized access if a token is compromised.  
The issue is present in the authentication resolver logic and affects both the GraphQL endpoint and logout mechanism.

**Affected Product:**  
Wiki.js – version 2.5.307  

**Affected Component:**  
GraphQL API endpoint (`/graphql`), Authentication module, JWT session management, logout logic (UI and backend).

**Impact:**  
Allows reuse of previously issued JWT tokens after logout, compromising session validity and user authentication.

**Vulnerability Type:**  
CWE-613: Insufficient Session Expiration

**Attack Vector:**  
Remote – An attacker with access to a previously issued token can continue using it after logout to perform authenticated actions.

**Discoverer:**  
Patrick C. Luis Miguel Pazmiño Ali MS.

**Reference:**  
- [CVE-2025-56643 (MITRE Record)](https://www.cve.org/CVERecord?id=CVE-2025-56643)
- [Wiki.js Official Site](https://js.wiki)
File Snapshot

 [4.0K]  /data/pocs/00743c812df0d6eb2bf48b5910d6d94be95a3d2c
└── [1.3K]  README.md

1 directory, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →