Listen to this Post
The CVE-2025-XXXX vulnerability in Strapi stems from a critical flaw in JWT token management. The application does not invalidate JWTs upon user logout or account deactivation. This means any previously issued token remains valid until its inherent expiration time, which defaults to 30 days. An attacker in possession of a stolen token can continue to access the user’s account and permissions. Furthermore, the existence of the `/admin/renew-token` endpoint exacerbates the issue. This endpoint allows any valid token holder to renew it, effectively granting indefinite access by repeatedly extending the token’s lifespan before it expires, bypassing the intended session expiration.
Platform: Strapi
Version: <5.24.1
Vulnerability: Insufficient Session Expiration
Severity: Moderate
date: 2025-10-16
Prediction: Patch Available
What Undercode Say:
curl -H "Authorization: Bearer <JWT_TOKEN>" http://strapi-host/admin/renew-token`jwt.decode(token, options={“verify_signature”: false})
<h2 style="color: blue;"></h2>aws s3 ls s3://backup-bucket –recursive | grep jwt`
<h2 style="color: blue;">
How Exploit:
Steal JWT via MITM or XSS. Use token post-logout. Call renew endpoint for indefinite access.
Protection from this CVE
Upgrade to Strapi 5.24.1. Implement server-side token blacklisting. Reduce default JWT expiration time.
Impact:
Persistence for attackers with stolen tokens. Account takeover post-deactivation. Bypass of logout security.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
