Unauthorized Access to Private Fields in User Registration API in strapi
Description
strapi is an open-source headless CMS. Versions prior to 4.13.1 did not properly restrict write access to fielded marked as private in the user registration endpoint. As such malicious users may be able to errantly modify their user records. This issue has been addressed in version 4.13.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Strapi before 4.13.1 fails to restrict write access to private fields during user registration, allowing unauthorized modification of user records.
Vulnerability
Description Strapi versions prior to 4.13.1 contain a vulnerability in the user registration endpoint that does not properly restrict write access to fields marked as private in the user content-type. Private fields, intended to be hidden from users, were not filtered out during registration, allowing malicious actors to include values for these fields in registration requests [1][2][4].
Exploitation
An attacker can exploit this by sending a POST request to the registration API with additional data intended for private fields. No special privileges are required; the attacker only needs to know the field names that are marked as private. The vulnerability exists because the sanitization logic did not exclude private fields, as demonstrated by a security researcher who provided a temporary workaround using _.omitBy to filter them out [4].
Impact
Successful exploitation allows an unauthorized user to modify their own user record, potentially setting values for private fields such as roles, permissions, or other sensitive attributes. This could lead to privilege escalation or unauthorized access to restricted functionality, depending on the specific private fields defined in the user content-type [1][2].
Mitigation
The vulnerability has been addressed in Strapi version 4.13.1, with further hotfixes in 4.13.5. Users are advised to upgrade immediately. There are no known workarounds for this issue, as the existing sanitization functions did not properly handle private fields [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@strapi/plugin-users-permissionsnpm | >= 4.0.0, < 4.13.1 | 4.13.1 |
@strapi/strapinpm | >= 4.0.0, < 4.13.1 | 4.13.1 |
Affected products
3- ghsa-coords2 versions
>= 4.0.0, < 4.13.1+ 1 more
- (no CPE)range: >= 4.0.0, < 4.13.1
- (no CPE)range: >= 4.0.0, < 4.13.1
- strapi/strapiv5Range: >= 4.0.0, < 4.13.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-gc7p-j5xm-xxh2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-39345ghsaADVISORY
- github.com/strapi/strapi/security/advisories/GHSA-gc7p-j5xm-xxh2ghsax_refsource_CONFIRMWEB
- strapi.io/blog/security-disclosure-of-vulnerabilities-sept-2023ghsaWEB
News mentions
0No linked articles in our index yet.