JWT Invalidation Issue in Strapi by Strapi
CVE-2025-3930

6.3MEDIUM

Key Information:

Vendor

Strapi

Status
Strapi
Vendor
CVE Published:
16 October 2025

What is CVE-2025-3930?

Strapi's implementation of JSON Web Tokens (JWT) presents a significant security issue where tokens remain valid even after a user logs out or deactivates their account. This allows malicious actors to exploit stolen or intercepted tokens until they expire, which by default lasts for 30 days. Furthermore, the presence of the /admin/renew-token endpoint enables unauthorized renewal of tokens nearing expiration, compounding the risk by granting attackers extended access. The issue has been rectified in Strapi version 5.24.1.

Affected Version(s)

Strapi 0 < 5.24.1

References

https://cert.pl/posts/2025/06/CVE-2025-3930
third-party-advisory
https://cert.pl/en/posts/2025/06/CVE-2025-3930
third-party-advisory
https://github.com/strapi/strapi
product

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Arkadiusz Marta
JSON
.
CVE-2025-3930 : JWT Invalidation Issue in Strapi by Strapi