Vulnerability DatabaseCVE-2025-3930

CVE-2025-3930:
JavaScript vulnerability analysis and mitigation

Overview

CVE-2025-3930 affects Strapi's authentication system, discovered and disclosed in October 2025. The vulnerability exists in versions prior to 5.24.1, where JSON Web Tokens (JWT) remain valid after user logout or account deactivation. The issue was initially reported by CERT.PL and affects the authentication mechanism of Strapi's admin panel (Strapi Blog, NVD).

Technical details

The vulnerability stems from Strapi's JWT implementation where tokens are not invalidated upon logout or account deactivation. The tokens remain valid until their expiration date (30 days by default). Additionally, the /admin/renew-token endpoint allows for indefinite token renewal, compounding the security risk. The vulnerability has been assigned a CVSS 4.0 score of 6.3 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N (NVD, CERT.PL).

Impact

The primary impact is on the admin panel, where compromised tokens can be reused until expiration. An attacker who has intercepted or stolen a token can continue to access the system even after the legitimate user has logged out. The vulnerability is particularly concerning due to the ability to indefinitely renew tokens through the /admin/renew-token endpoint (Strapi Blog).

Mitigation and workarounds

The vulnerability has been patched in Strapi version 5.24.1. Users should immediately update to this version or later. The fix includes a complete refactoring of the authentication system for both the Admin Panel and Users & Permissions, implementing a comprehensive session management system that tracks sessions per user, per device, and per session (Strapi Blog).

Community reactions

Strapi has demonstrated commitment to responsible disclosure by working with security researchers and implementing a staged disclosure process. They notified customers via multiple emails and included security notices in release notes before full disclosure. The company has encouraged the community to report security vulnerabilities through GitHub Advisory or by contacting their security team at security@strapi.io (Strapi Blog).

Additional resources

Source: This report was generated using AI

Related JavaScript vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-67731	HIGH	8.7	JavaScript	servify-express	No	Yes	Dec 12, 2025
CVE-2025-67718	HIGH	8.7	JavaScript	formio	No	Yes	Dec 11, 2025
CVE-2025-65513	HIGH	7.5	JavaScript	mcp-fetch-server	No	No	Dec 09, 2025
CVE-2025-67716	MEDIUM	5.7	JavaScript	@auth0/nextjs-auth0	No	Yes	Dec 11, 2025
CVE-2025-67490	MEDIUM	5.4	JavaScript	@auth0/nextjs-auth0	No	Yes	Dec 10, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2025-3930: JavaScript vulnerability analysis and mitigation