Strapi Password Reset Vulnerability Allows Unauthorized Access via Active Refresh Tokens

A vulnerability in Strapi, an open-source headless content management system, exists in versions prior to 5.33.3. When users changed or reset their passwords, the system did not automatically invalidate existing refresh-token sessions. This oversight allowed attackers with previously obtained refresh tokens to continue generating access tokens, thereby maintaining unauthorized access for up to 30 days. The issue arose because the refresh-token invalidation process depended on a supplied 'deviceId'. If the 'deviceId' was absent, no tokens were revoked, leaving all prior sessions active. The vulnerability undermined the effectiveness of password resets as a security measure.

Impact

Exploitation of this vulnerability allowed for persistent unauthorized access to user accounts, as active refresh tokens could be used to generate new access tokens, bypassing the password reset process.

Remediation

Users are advised to update Strapi to version 5.33.3 or later, where this vulnerability has been addressed.