Primary

Context

Strapi JSON Web Token Authentication Vulnerability Allowing Token Renewal and Reuse

Vulnerability

Patched

A vulnerability exists in Strapi's authentication mechanism, which relies on JSON Web Tokens (JWT). After a user logs out or deactivates their account, the JWT remains valid and can be reused until it expires, which is typically set to 30 days but can be modified. This flaw enables an attacker to exploit stolen or intercepted tokens. Additionally, the presence of the /admin/renew-token endpoint allows for the indefinite renewal of tokens that are close to expiring, exacerbating the issue. This vulnerability has been addressed in Strapi version 5.24.1.

Impact

Exploitation of this vulnerability allows for unauthorized access using a valid JWT, potentially leading to unauthorized actions or data access within the application.

Remediation

Users can update to Strapi version 5.24.1 or later to address this vulnerability.

Added: Oct 16, 2025, 11:17 AM

Updated: Oct 16, 2025, 3:44 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

1.3

exploitability

6.6

remediation

7.7

relevance

0.7

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

1.3

exploitability

6.6

remediation

7.7

relevance

0.7

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Strapi JSON Web Token Authentication Vulnerability Allowing Token Renewal and Reuse

Vulnerability

Impact

Remediation

Affected Products

Strapi

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating