Description
Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date (which is set to 30 days by default, but can be changed).
Recommendation
Update the @strapi/strapi package to the latest compatible version. Followings are version details:
- Affected version(s): < 5.24.1
- Patched version(s): 5.24.1
References
Related Issues
- Apostrophe CMS Insufficient Session Expiration vulnerability - CVE-2021-25979
- NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies - CVE-2025-48947
- Strapi core vulnerable to sensitive data exposure via CORS misconfiguration - CVE-2025-53092
- @perfood/couch-auth may expose session tokens, passwords - CVE-2025-60794
- Tags:
- npm
- @strapi/strapi
Anything's wrong? Let us know Last updated on October 22, 2025