npm package
@strapi/core
pkg:npm/%40strapi/core
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-53092 | — | < 5.20.0 | 5.20.0 | Oct 16, 2025 | Strapi is an open source headless content management system. Strapi versions prior to 5.20.0 contain a CORS misconfiguration vulnerability in default installations. By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header | ||
| CVE-2025-25298 | — | < 5.10.3 | 5.10.3 | Oct 16, 2025 | Strapi is an open source headless CMS. The @strapi/core package before version 5.10.3 does not enforce a maximum password length when using bcryptjs for password hashing. Bcryptjs ignores any bytes beyond 72, so passwords longer than 72 bytes are silently truncated. A user can cr | ||
| CVE-2024-56143 | — | >= 5.0.0, < 5.5.2 | 5.5.2 | Oct 16, 2025 | Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters for private fields. An attacker can access private fields, including admin passwor |
- CVE-2025-53092Oct 16, 2025affected < 5.20.0fixed 5.20.0
Strapi is an open source headless content management system. Strapi versions prior to 5.20.0 contain a CORS misconfiguration vulnerability in default installations. By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header
- CVE-2025-25298Oct 16, 2025affected < 5.10.3fixed 5.10.3
Strapi is an open source headless CMS. The @strapi/core package before version 5.10.3 does not enforce a maximum password length when using bcryptjs for password hashing. Bcryptjs ignores any bytes beyond 72, so passwords longer than 72 bytes are silently truncated. A user can cr
- CVE-2024-56143Oct 16, 2025affected >= 5.0.0, < 5.5.2fixed 5.5.2
Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters for private fields. An attacker can access private fields, including admin passwor