Report an incident
Back
  • About us
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy Bezpieczny telefon
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Projects
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerability in Strapi software
16 October 2025 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2025-3930
Publication date 16 October 2025
Vendor Strapi
Product Strapi
Vulnerable versions All before 5.24.1
Vulnerability type (CWE) Insufficient Session Expiration (CWE-613)
Report source Report to CERT Polska

Description

CERT Polska has received a report about vulnerability in Strapi software and participated in coordination of its disclosure.

The vulnerability CVE-2025-3930: Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date (which is set to 30 days by default, but can be changed). The existence of /admin/renew-token endpoint allows anyone to renew near-expiration tokens indefinitely, further increasing the impact of this attack.

This issue has been fixed in version 5.24.1.

Credits

We thank Arkadiusz Marta for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.