CVE-2025-56643 – Wiki.js 2.5.307 has a critical authentication f... (How to Fix)

Q: What is the severity of CVE-2025-56643?

CVE-2025-56643 has a CVSS score of 9.1 (CRITICAL). Wiki.js 2.5.307 has a critical authentication flaw where JWT tokens remain valid after logout, allowing session hijacking. Attackers can reuse stolen tokens to impersonate users and access sensitive wiki content. This affects all deployments using the vulnerable version.

📋 TL;DR

Wiki.js 2.5.307 has a critical authentication flaw where JWT tokens remain valid after logout, allowing session hijacking. Attackers can reuse stolen tokens to impersonate users and access sensitive wiki content. This affects all deployments using the vulnerable version.

💻 Affected Systems

Products:

Requarks Wiki.js

Versions: 2.5.307

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using the default authentication mechanism are affected. The vulnerability is in the core authentication resolver.

📦 What is this software?

Wiki.js by Requarks

View all CVEs affecting Wiki.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover leading to data theft, content manipulation, and privilege escalation if admin tokens are compromised.

🟠

Likely Case

Unauthorized access to user accounts allowing reading/editing of sensitive wiki pages and potential data exfiltration.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, but still allows unauthorized access to the wiki instance.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires obtaining a valid JWT token through other means (phishing, MITM, token leakage). Once obtained, token reuse is trivial.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.308 or later

Vendor Advisory: https://github.com/Requarks/wiki/releases

Restart Required: Yes

Instructions:

1. Backup your wiki data. 2. Update to version 2.5.308 or later via npm (npm update wiki.js) or Docker. 3. Restart the wiki service. 4. Force all users to re-authenticate.

🔧 Temporary Workarounds

Implement token blacklisting

all

Manually implement JWT token revocation by maintaining a blacklist of invalidated tokens

Requires custom middleware implementation - no single command

Reduce token lifetime

all

Decrease JWT token expiration time to limit window of exploitation

Set JWT_EXPIRATION environment variable to lower value (e.g., 3600 for 1 hour)

🧯 If You Can't Patch

Implement network-level controls: Restrict wiki access to trusted IPs only
Enable detailed logging of all authentication events and monitor for suspicious token reuse

🔍 How to Verify

Check if Vulnerable:

Check package.json for version 2.5.307 or run: node -e "console.log(require('./package.json').version)" in wiki directory

Check Version:

npm list wiki.js | grep wiki.js

Verify Fix Applied:

After update, test logout functionality: 1. Login and obtain token 2. Logout 3. Attempt API call with same token - should return 401

📡 Detection & Monitoring

Log Indicators:

Multiple successful requests with same token after logout event
Token reuse from different IP addresses
Unusual authentication patterns

Network Indicators:

API calls with expired session tokens still succeeding
GraphQL requests with old tokens

SIEM Query:

source="wiki.js" AND (event="logout" OR event="authentication") | stats count by user, token_id

📊 Metadata

CVE ID: CVE-2025-56643

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-613

EPSS Score: 0.07% exploit probability (21.8th percentile)

Published: November 18, 2025

Last Updated: December 31, 2025

🔗 References

https://github.com/0xBS0D27/CVE-2025-56643 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-56643, you might also want to check these: