Medium severityGHSA Advisory· Published Oct 16, 2025· Updated Apr 15, 2026

CVE-2025-3930

Description

Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date (which is set to 30 days by default, but can be changed). The existence of /admin/renew-token endpoint allows anyone to renew near-expiration tokens indefinitely, further increasing the impact of this attack.

This issue has been fixed in version 5.24.1.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@strapi/strapinpm	< 5.24.1	5.24.1

Affected products

Strapi/StrapiGHSA
Range: < 5.24.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-4r8w-3jww-m2rpghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-3930ghsaADVISORY
cert.pl/en/posts/2025/06/CVE-2025-3930nvdWEB
strapi.ioghsaWEB
strapi.io/blog/security-disclosure-of-vulnerabilities-cve-October-2025nvdWEB
strapi.ionvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000