Описание
Strapi core vulnerable to sensitive data exposure via CORS misconfiguration
Summary
A CORS misconfiguration vulnerability exists in default installations of Strapi where attacker-controlled origins are improperly reflected in API responses.
Technical Details
By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header without proper validation or whitelisting.
Example:
Origin: http://localhost:8888
Access-Control-Allow-Origin: http://localhost:8888
Access-Control-Allow-Credentials: true
This allows an attacker-controlled site (on a different port, like 8888) to send credentialed requests to the Strapi backend on 1337.
Suggested Fix
- Explicitly whitelist trusted origins
- Avoid reflecting dynamic origins
Пакеты
@strapi/core
< 5.20.0
5.20.0
EPSS
7.5 High
CVSS3
CVE ID
Дефекты
Связанные уязвимости
Strapi is an open source headless content management system. Strapi versions prior to 5.20.0 contain a CORS misconfiguration vulnerability in default installations. By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header without proper validation or whitelisting. This allows an attacker-controlled site to send credentialed requests to the Strapi backend. An attacker can exploit this by hosting a malicious site on a different origin (e.g., different port) and sending requests with credentials to the Strapi API. The vulnerability is fixed in version 5.20.0. No known workarounds exist.
EPSS
7.5 High
CVSS3