npm package
@strapi/strapi
pkg:npm/%40strapi/strapi
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-3930 | Med | — | < 5.24.1 | 5.24.1 | Oct 16, 2025 | Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date (which is set to 30 days by default, but can be ch | |
| CVE-2024-37818 | — | — | — | Jun 20, 2024 | Strapi v4.24.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /strapi.io/_next/image. This vulnerability allows attackers to scan for open ports or access sensitive information via a crafted GET request. NOTE: The Strapi Development Community arg | ||
| CVE-2023-39345 | — | >= 4.0.0, < 4.13.1 | 4.13.1 | Nov 6, 2023 | strapi is an open-source headless CMS. Versions prior to 4.13.1 did not properly restrict write access to fielded marked as private in the user registration endpoint. As such malicious users may be able to errantly modify their user records. This issue has been addressed in versi | ||
| CVE-2023-34093 | — | < 4.10.8 | 4.10.8 | Jul 25, 2023 | Strapi is an open-source headless content management system. Prior to version 4.10.8, anyone (Strapi developers, users, plugins) can make every attribute of a Content-Type public without knowing it. The vulnerability only affects the handling of content types by Strapi, not the a | ||
| CVE-2023-22894 | — | >= 3.2.1, < 4.8.0 | 4.8.0 | Apr 19, 2023 | Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super ad | ||
| CVE-2022-31367 | — | >= 4.0.0-next.0, < 4.1.10 | 4.1.10 | Sep 27, 2022 | Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses. | ||
| CVE-2022-32114 | — | <= 4.1.12 | — | Jul 13, 2022 | An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" permission is supposed to be abl | ||
| CVE-2022-30618 | — | < 4.1.9 | 4.1.9 | May 19, 2022 | An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). There are man | ||
| CVE-2022-30617 | — | < 4.0.0-beta.15 | 4.0.0-beta.15 | May 19, 2022 | An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user. For exa | ||
| CVE-2021-46440 | — | >= 4.0.0, < 4.1.5 | 4.1.5 | May 3, 2022 | Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext passwo |
- affected < 5.24.1fixed 5.24.1
Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date (which is set to 30 days by default, but can be ch
- CVE-2024-37818Jun 20, 2024
Strapi v4.24.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /strapi.io/_next/image. This vulnerability allows attackers to scan for open ports or access sensitive information via a crafted GET request. NOTE: The Strapi Development Community arg
- CVE-2023-39345Nov 6, 2023affected >= 4.0.0, < 4.13.1fixed 4.13.1
strapi is an open-source headless CMS. Versions prior to 4.13.1 did not properly restrict write access to fielded marked as private in the user registration endpoint. As such malicious users may be able to errantly modify their user records. This issue has been addressed in versi
- CVE-2023-34093Jul 25, 2023affected < 4.10.8fixed 4.10.8
Strapi is an open-source headless content management system. Prior to version 4.10.8, anyone (Strapi developers, users, plugins) can make every attribute of a Content-Type public without knowing it. The vulnerability only affects the handling of content types by Strapi, not the a
- CVE-2023-22894Apr 19, 2023affected >= 3.2.1, < 4.8.0fixed 4.8.0
Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super ad
- CVE-2022-31367Sep 27, 2022affected >= 4.0.0-next.0, < 4.1.10fixed 4.1.10
Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses.
- CVE-2022-32114Jul 13, 2022affected <= 4.1.12
An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" permission is supposed to be abl
- CVE-2022-30618May 19, 2022affected < 4.1.9fixed 4.1.9
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). There are man
- CVE-2022-30617May 19, 2022affected < 4.0.0-beta.15fixed 4.0.0-beta.15
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user. For exa
- CVE-2021-46440May 3, 2022affected >= 4.0.0, < 4.1.5fixed 4.1.5
Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext passwo