CVE-2025-53092
BaseFortify
Publication date: 2025-10-16
Last updated on: 2025-11-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| strapi | strapi | to 5.20.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-364 | The product uses a signal handler that introduces a race condition. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-942 | The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a CORS misconfiguration in Strapi versions prior to 5.20.0. Strapi reflects the Origin header value back in the Access-Control-Allow-Origin response header without proper validation or whitelisting. This allows an attacker-controlled site on a different origin to send credentialed requests to the Strapi backend, potentially exploiting the system.
How can this vulnerability impact me? :
An attacker can exploit this vulnerability by hosting a malicious site on a different origin and sending requests with credentials to the Strapi API. This could lead to unauthorized access or actions performed on behalf of legitimate users, potentially compromising sensitive data or system integrity.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Strapi to version 5.20.0 or later, as this version contains the fix for the CORS misconfiguration vulnerability. No known workarounds exist, so applying the update is the recommended immediate mitigation step.