PT-2025-42459 · Strapi · Strapi
Arkadiusz Marta
·
Published
2025-10-16
·
Updated
2025-10-16
·
CVE-2025-3930
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Strapi versions prior to 5.24.1
Description
Strapi utilizes JSON Web Tokens (JWT) for authentication. Following logout or account deactivation, JWTs are not invalidated, enabling an attacker with a stolen or intercepted token to reuse it until its expiration. The default expiration is 30 days, but this can be modified. The '/admin/renew-token' API endpoint allows indefinite renewal of near-expiration tokens, amplifying the impact of this issue.
Recommendations
Update to version 5.24.1 or later.
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Strapi