CVE-2025-53092
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-53092, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-16

Last updated on: 2025-11-25

Assigner: GitHub, Inc.

Description

Strapi is an open source headless content management system. Strapi versions prior to 5.20.0 contain a CORS misconfiguration vulnerability in default installations. By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header without proper validation or whitelisting. This allows an attacker-controlled site to send credentialed requests to the Strapi backend. An attacker can exploit this by hosting a malicious site on a different origin (e.g., different port) and sending requests with credentials to the Strapi API. The vulnerability is fixed in version 5.20.0. No known workarounds exist.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-16
Last Modified
2025-11-25
Generated
2026-07-06
AI Q&A
2025-10-16
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
strapi strapi to 5.20.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-942 The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
CWE-364 The product uses a signal handler that introduces a race condition.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a CORS misconfiguration in Strapi versions prior to 5.20.0. Strapi reflects the Origin header value back in the Access-Control-Allow-Origin response header without proper validation or whitelisting. This allows an attacker-controlled site on a different origin to send credentialed requests to the Strapi backend, potentially exploiting the system.

Impact Analysis

An attacker can exploit this vulnerability by hosting a malicious site on a different origin and sending requests with credentials to the Strapi API. This could lead to unauthorized access or actions performed on behalf of legitimate users, potentially compromising sensitive data or system integrity.

Mitigation Strategies

Upgrade Strapi to version 5.20.0 or later, as this version contains the fix for the CORS misconfiguration vulnerability. No known workarounds exist, so applying the update is the recommended immediate mitigation step.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-53092. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart