Full Report
Insufficient Session Expiration vulnerability (CVE-2025-3930) has been found in Strapi software.
Analysis Summary
# Vulnerability: Insufficient Session Expiration in Strapi via Non-Invalidated JWTs
## CVE Details
- CVE ID: CVE-2025-3930
- CVSS Score: Not explicitly provided, estimated **High** due to indefinite token renewal. (Severity estimation based on impact)
- CWE: CWE-613 (Insufficient Session Expiration)
## Affected Systems
- Products: Strapi
- Versions: All versions before 5.24.1
- Configurations: Any configuration where JWT is used for authentication.
## Vulnerability Description
Strapi utilizes JSON Web Tokens (JWT) for authentication. The vulnerability lies in the fact that upon user logout or account deactivation, the corresponding JWT is **not immediately invalidated**. This allows an attacker who has previously stolen or intercepted a valid JWT to reuse it for access until its scheduled expiration time (defaulting to 30 days). Furthermore, the existence of the `/admin/renew-token` endpoint allows an attacker to renew near-expiration tokens indefinitely, effectively bypassing the intended expiration mechanism.
## Exploitation
- Status: Details regarding widespread exploitation are not provided, but the condition for reuse exists.
- Complexity: **Medium** (Requires token theft/interception initially, but renewal complexity is low).
- Attack Vector: **Network** (Assuming token interception over the network).
## Impact
- Confidentiality: **High** (Unauthorized access to authenticated sessions).
- Integrity: **High** (Unauthorized actions depending on user privileges).
- Availability: **Low to Medium** (Potential for session exhaustion, but primary impact is on confidentiality/integrity).
## Remediation
### Patches
- Upgrade Strapi to version **5.24.1** or later.
### Workarounds
- No official workarounds were listed in the summary, but mitigating the core flaw would involve ensuring that session invalidation mechanisms are enforced upon logout/deactivation or restricting access to the `/admin/renew-token` endpoint if standard patching is delayed.
## Detection
- **Indicators of Compromise:** Unusual token renewal requests originating from unexpected IP addresses; persistent authenticated sessions following explicit logout events.
- **Detection methods and tools:** Monitoring logs for repeated calls to the `/admin/renew-token` endpoint, especially when associated with older or suspected invalidated session tokens.
## References
- Vendor Advisories: Information derived from the report coordinated by CERT Polska.
- Relevant links - defanged:
- hxxps://incydent.cert.pl/#!/lang=en
- hxxps://cert.pl/en/cve
- hxxps://cve.org/CVERecord?id=CVE-2025-3930
- hxxps://cwe.mitre.org/data/definitions/613.html