CVE-2025-3930 — Strapi is vulnerable to Insufficient Session Expiration

Description

Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date (which is set to 30 days by default, but can be changed). The existence of /admin/renew-token endpoint allows anyone to renew near-expiration tokens indefinitely, further increasing the impact of this attack. This issue has been fixed in version 5.24.1.

How to fix CVE-2025-3930

To remediate CVE-2025-3930, upgrade the affected package to a fixed version below.

—upgrade to 5.24.1 or later

Is CVE-2025-3930 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 5.24.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-3930
PATCHgithub.com/strapi/strapi
WEBcert.pl/en/posts/2025/06/CVE-2025-3930
WEBstrapi.io
WEBstrapi.io/blog/security-disclosure-of-vulnerabilities-cve-October-2025