CVE-2025-3930— Lack of JWT Expiration after Log Out in Strapi
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-3930
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Lack of JWT Expiration after Log Out in Strapi
Source: NVD (National Vulnerability Database)
Vulnerability Description
Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date (which is set to 30 days by default, but can be changed). The existence of /admin/renew-token endpoint allows anyone to renew near-expiration tokens indefinitely, further increasing the impact of this attack. This issue has been fixed in version 5.24.1.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
不充分的会话过期机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
Strapi 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Strapi是法国strapi社区的一套开源的内容管理系统(CMS)。 Strapi 5.24.1之前版本存在代码问题漏洞,该漏洞源于注销或停用账户后未使JWT失效且存在/admin/renew-token端点,可能导致令牌被恶意重用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-3930
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-3930
请登录查看更多情报信息。
Same Patch Batch · Strapi · 2025-10-16 · 4 CVEs total
| CVE-2024-56143 | 8.2 HIGH | Strapi Allows Unauthorized Access to Private Fields via parms.lookup |
| CVE-2025-53092 | 6.5 MEDIUM | Strapi core vulnerable to sensitive data exposure via CORS misconfiguration |
| CVE-2025-25298 | Missing Maximum Password Length Validation in Strapi Password Hashing |
IV. Related Vulnerabilities
Same product: Strapi
- CVE-2025-53092
Strapi core vulnerable to sensitive data exposure via CORS m - CVE-2025-25298
Missing Maximum Password Length Validation in Strapi Passwor - CVE-2024-56143
Strapi Allows Unauthorized Access to Private Fields via parm - CVE-2024-52588
Strapi allows Server-Side Request Forgery in Webhook functio - CVE-2024-34065
@strapi/plugin-users-permissions leaks 3rd party authenticat
Same vendor: Strapi
- CVE-2025-53092
Strapi core vulnerable to sensitive data exposure via CORS m - CVE-2025-25298
Missing Maximum Password Length Validation in Strapi Passwor - CVE-2024-56143
Strapi Allows Unauthorized Access to Private Fields via parm - CVE-2024-52588
Strapi allows Server-Side Request Forgery in Webhook functio - CVE-2024-34065
@strapi/plugin-users-permissions leaks 3rd party authenticat
Same weakness: CWE-613
- CVE-2026-41902
FreeScout's user invitation hash never expires: permanent un - CVE-2026-41519
Weblate's API Token Not Invalidated on Password Change - CVE-2026-41891
CI4MS: Deactivated User Session Bypass (active=0) - CVE-2026-40934
jupyter-server authentication cookies remain valid after pas - CVE-2026-42421
OpenClaw < 2026.4.8 - WebSocket Session Persistence via Shar
V. Comments for CVE-2025-3930
No comments yet