Description
Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date (which is set to 30 days by default, but can be changed).
Recommendation
Update the @strapi/strapi package to the latest compatible version. Followings are version details:
- Affected version(s): < 5.24.1
- Patched version(s): 5.24.1
References
Related Issues
- Elliptic's verify function omits uniqueness validation - CVE-2024-48949
- Nuxt DevTools vulnerable to cross-site scripting (XSS) - CVE-2025-52662
- Regular Expression Denial of Service (ReDoS) in lodash - CVE-2020-28500
- parse-uri Regular expression Denial of Service (ReDoS) - CVE-2024-36751
- Tags:
- npm
- @strapi/strapi
Anything's wrong? Let us know Last updated on October 22, 2025