High severityNVD Advisory· Published Oct 16, 2025· Updated Oct 16, 2025

Strapi core vulnerable to sensitive data exposure via CORS misconfiguration

CVE-2025-53092

Description

Strapi is an open source headless content management system. Strapi versions prior to 5.20.0 contain a CORS misconfiguration vulnerability in default installations. By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header without proper validation or whitelisting. This allows an attacker-controlled site to send credentialed requests to the Strapi backend. An attacker can exploit this by hosting a malicious site on a different origin (e.g., different port) and sending requests with credentials to the Strapi API. The vulnerability is fixed in version 5.20.0. No known workarounds exist.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Strapi versions before 5.20.0 reflect the Origin header in Access-Control-Allow-Origin without validation, enabling cross-origin credentialed requests.

Vulnerability

Overview

CVE-2025-53092 is a CORS misconfiguration vulnerability in default installations of Strapi, an open-source headless CMS. In versions prior to 5.20.0, the CORS middleware reflects the value of the Origin request header directly into the Access-Control-Allow-Origin response header without proper validation or whitelisting [1]. This means any origin, including attacker-controlled sites, is permitted to make cross-origin requests.

Exploitation

An attacker can host a malicious website on a different origin (e.g., a different port or domain) and send credentialed requests (with cookies or authorization headers) to the Strapi API. Because the server echoes back the attacker's origin as allowed, the browser will accept the response, enabling cross-origin read and write operations [1]. The fix, introduced in commit 6e535cb756, adds proper origin validation: it now checks the request origin against a whitelist and blocks requests from unlisted origins by returning an empty string [4].

Impact

Successful exploitation allows an attacker to perform actions on behalf of an authenticated Strapi user, potentially accessing or modifying content, user data, or administrative functions. The vulnerability is classified with a CVSS v4.0 score pending, but the ability to send credentialed cross-origin requests from arbitrary origins makes it a significant security risk for any Strapi instance exposed to the internet.

Mitigation

The vulnerability is fixed in Strapi version 5.20.0 [3]. Users should upgrade immediately, as no known workarounds exist [1]. The release notes indicate that detailed exploit details are delayed to allow time for upgrades [3].

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@strapi/corenpm	< 5.20.0	5.20.0

Affected products

Strapi/Strapillm-fuzzy
Range: <5.20.0
strapi/strapiv5
Range: < 5.20.0

Patches

6e535cb756

fix: port comparison

https://github.com/strapi/strapiBen IrvinJul 28, 2025via ghsa

commit

1 file changed · +14 −4

packages/core/core/src/middlewares/cors.ts+14 −4 modified

@@ -38,7 +38,9 @@ export const cors: Core.MiddlewareFactory<Config> = (config) => {
 
   return koaCors({
     async origin(ctx) {
-      if (!ctx.get('Origin')) {
+      const requestOrigin = ctx.get('Origin');
+
+      if (!requestOrigin) {
         return '*';
       }
 
@@ -50,16 +52,24 @@ export const cors: Core.MiddlewareFactory<Config> = (config) => {
         originList = origin;
       }
 
+      // Handle arrays of origins
       if (Array.isArray(originList)) {
-        return originList.includes(ctx.get('Origin')) ? ctx.get('Origin') : '';
+        return originList.includes(requestOrigin) ? requestOrigin : '';
       }
 
+      // Handle comma-separated string of origins
       const parsedOrigin = originList.split(',').map((origin) => origin.trim());
       if (parsedOrigin.length > 1) {
-        return parsedOrigin.includes(ctx.get('Origin')) ? ctx.get('Origin') : '';
+        return parsedOrigin.includes(requestOrigin) ? requestOrigin : '';
+      }
+
+      // Handle string of one origin with exact match (protocol, subdomain, domain, and port)
+      if (typeof originList === 'string') {
+        return originList === requestOrigin ? requestOrigin : '';
       }
 
-      return originList;
+      // block the request
+      return '';
     },
     exposeHeaders: expose,
     maxAge,

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-9329-mxxw-qwf8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-53092ghsaADVISORY
github.com/strapi/strapi/commit/6e535cb756ghsaWEB
github.com/strapi/strapi/releases/tag/v5.20.0ghsaWEB
github.com/strapi/strapi/security/advisories/GHSA-9329-mxxw-qwf8ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000