✨ Strapi MCP is now Generally Available - let your agents manage your Strapi content ✨

Security & Privacy10 min read

Security Disclosure of Vulnerabilities: CVE-2023-36472, CVE-2023-38507, CVE-2023-37263, and CVE-2023-39345

September 13, 2023Updated on June 14, 2026

Disclosure Summary

Thanks to three community members, we have been notified and patched four security vulnerabilities:

Per our security policy, we are performing our due diligence by publicly disclosing these vulnerabilities after careful testing, validation, communication, and our mandatory waiting period. For further details of the patched vulnerabilities, please refer to the information below or consult the linked GitHub Advisories.

We would like to thank the following community members for their participation in our security program:

Immediate resolution steps for all vulnerabilities disclosed here

To immediately resolve all vulnerabilities detailed in this post, please update all of your Strapi packages to version v4.13.5. To upgrade your Strapi application either for self-hosted (community & enterprise) and Strapi Cloud please see our update guide and any relevant migration guides.

Note that the patched version was originally v4.13.1 however, there were a few hotfixes for some unrelated issues which is why we recommend upgrading straight to v4.13.5 or greater.

CVE-2023-36472: Leaking sensitive user information, user reset password tokens, via content-manager views

Summary of CVE-2023-36472 Vulnerability Details

  • CVE: CVE-2023-36472
  • CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
  • Affected Versions: <=4.11.6
  • How to Patch: Immediately update your Strapi to version >=4.11.7

Description of CVE-2023-36472

The content-manager plugin was not configured to filter out specific types of fields that cannot be assigned to views or, if allowed to be shown and these types were a relation it was possible to select a main field to be shown in the relation dropdown that included the value. This was corrected by properly limiting certain attributes from being unable to be shown within the content-manager views or by taking advantage of the previously built sanitization functions not to send the values of these to the admin panel.

This vulnerability requires direct authorized access to the Strapi admin panel and requires permissions to be able to modify the content-manager views.

IoC's for CVE-2023-36472

Review your content-manager views to ensure the main fields were not changed to private attributes. Due to the nature of this vulnerability, there are no other indicators of compromise.

Timeline for CVE-2023-36472

TimeEvent
2023/06/19 08:35am GMTReport of the vulnerability received by the Strapi Security Team
2023/06/28 06:55am GMTVulnerability report was accepted by the Strapi Team
2023/06/28 02:10pm GMTPatch developed and pushed to internal fork for testing
2023/06/28 02:22pm GMTPatch verified internally and merged into the main codebase
2023/06/28 12:36pm GMTExperimental release as created and passed to the reporter to verify patch
2023/06/28 01:49pm GMTReporter verified patch worked as expected
2023/06/28 02:15pm GMTPatch was released in Strapi version v4.11.7
2023/06/28 03:03pm GMTGitHub issued CVE-2023-36472 per our request
2023/06/28 03:15pm GMTDisclosure communication placed on hold due to internal requirements and other vulnerability work being performed
2023/07/20 05:21pm GMTDisclosure placed on hold due to another related vulnerability
2023/07/20 05:21pm GMTNew waiting period of an additional 2 weeks initiated
2023/08/25 09:31pm GMTDisclosure placed on hold due to another related vulnerability
2023/08/31 10:44pm GMTInitial warning email was sent out to all Strapi Enterprise and Cloud Customers including Strapi partners with active enterprise contracts
2023/08/31 10:44pm GMTMandatory waiting period of 2 weeks initiated
2023/09/13 05:00pm GMTReleased the full disclosure of the vulnerability and published GitHub Advisories
2023/09/13 08:00pm GMTDisclosure email was sent out to all Strapi Enterprise and Cloud Customers, including Strapi partners with active enterprise contracts

CVE-2023-38507: Improper Rate Limiting

Summary of CVE-2023-38507 Vulnerability Details

  • CVE: CVE-2023-38507
  • CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  • Affected Versions: <=4.12.0
  • How to Patch: Immediately update your Strapi to version >=4.12.1

Description of CVE-2023-38507

Due to a bug in the way the default rate-limiting middlewares were constructed and due to the way Koa.js parses the path when checking against koa-router, it was possible to bypass the rate limits by slightly altering the API requests and swapping out lower-case letters from upper-case or by adding a trailing slash to the request. Koa router will by default handle this when running the regex to match the routes but it does not update the internal reference within the ctx.request object and as such our default middlewares were constructing a rate-limit key that took the ctx.request.path literally with no transformation. This was corrected by properly constructing a new key that forces the path to lowercase and removes any extra trailing slash for the purposes of rate-limiting. Both the admin-api and users-permissions auth endpoints were fixed and their rate-limit middlewares harmonized to ensure the same rate-limit logic is applied to both in the correct way.

IoC's for CVE-2023-38507

Review your application logs to check for a large number of failed authentication requests in a short period of time. Due to the nature of this vulnerability, there are no other indicators of compromise.

Timeline for CVE-2023-38507

TimeEvent
2023/06/05 07:55pm GMTReport of the vulnerability received by the Strapi Security Team
2023/06/12 09:27am GMTVulnerability report was accepted by the Strapi Team
2023/06/21 03:58pm GMTReporter provided additional reproduction information and similar CVEs from other software
2023/06/29 11:13pm GMTReporter asked for an update on when patch development would start
2023/07/03 07:29pm GMTPatch developer notified reporter that patch development would begin soon as we had some people on vacation
2023/07/17 09:00pm GMTPatch was developed and internal private PR created
2023/07/17 09:00pm GMTAn experimental release was made with the changes communicated previously for testing
2023/07/17 12:19am GMTReporter notified the Strapi Security Team that an additional workaround to the fix could still lead to vuln
2023/07/19 07:27am GMTPatch updated to fix additional workaround and new experimental released
2023/07/26 01:19pm GMTGitHub issued CVE-2023-38507 per our request
2023/07/26 01:19pm GMTPatch was released in Strapi version v4.12.1
2023/08/03 09:23pm GMTDisclosure communication placed on hold due to internal requirements and other vulnerability work being performed
2023/08/25 09:31pm GMTDisclosure placed on hold due to another related vulnerability
2023/08/31 10:44pm GMTInitial warning email was sent out to all Strapi Enterprise and Cloud Customers including Strapi partners with active enterprise contracts
2023/08/31 10:44pm GMTMandatory waiting period of 2 weeks initiated
2023/09/13 05:00pm GMTReleased the full disclosure of the vulnerability and published GitHub Advisories
2023/09/13 08:00pm GMTDisclosure email was sent out to all Strapi Enterprise and Cloud Customers, including Strapi partners with active enterprise contracts

CVE-2023-37263: Field level permissions not being respected in relationship title

Summary of CVE-2023-37263 Vulnerability Details

  • CVE: CVE-2023-37263
  • CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
  • Affected Versions: <=4.12.0
  • How to Patch: Immediately update your Strapi to version >=4.12.1

Description of CVE-2023-37263

RBAC permissions were not being properly respected within the content-manager views allowing for private fields to be set as the entity title within the content-manager edit view. This was resolved; a check was added to validate if a set field is private or sensitive in nature and will no longer be shown as an option to the user to change the entity title too. Likewise, if any were changed they will instead default back to the entity's ID without any user modification needed.

IoC's for CVE-2023-37263

Review your content-manager views to ensure the title field was not changed to a private attribute. Due to the nature of this vulnerability, there are no other indicators of compromise.

Timeline for CVE-2023-37263

TimeEvent
2023/07/01 04:46pm GMTReport of the vulnerability received by the Strapi Security Team
2023/07/06 04:26pm GMTVulnerability report was accepted by the Strapi Team
2023/07/06 04:26pm GMTGitHub issued CVE-2023-37263 per our request
2023/07/25 03:34pm GMTAn experimental release was made with the changes communicated previously for testing
2023/07/27 02:18pm GMTPatch was released in Strapi version v4.12.1
2023/08/03 09:32pm GMTDisclosure communication placed on hold due to internal requirements and other vulnerability work being performed
2023/08/25 09:31pm GMTDisclosure placed on hold due to another related vulnerability
2023/08/31 10:44pm GMTInitial warning email was sent out to all Strapi Enterprise and Cloud Customers including Strapi partners with active enterprise contracts
2023/08/31 10:44pm GMTMandatory waiting period of 2 weeks initiated
2023/09/13 05:00pm GMTReleased the full disclosure of the vulnerability and published GitHub Advisories
2023/09/13 08:00pm GMTDisclosure email was sent out to all Strapi Enterprise and Cloud Customers, including Strapi partners with active enterprise contracts

CVE-2023-39345: Unauthorized Access to Private Fields in User Registration API

Summary of CVE-2023-39345 Vulnerability Details

  • CVE: CVE-2023-39345
  • CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
  • Affected Versions: <4.13.1
  • How to Patch: Immediately update your Strapi to version >=4.13.5

Description of CVE-2023-39345

In Strapi versions prior to v4.13.1, custom fields added to the users-permissions user were not properly validated or sanitized during registration as we were only handling fields which Strapi originally added.

For the fix on this, we opted to continue to allow users to handle custom fields during registration but added both a warning to users when the app starts and some configuration options to let them strictly control which custom fields are allowed to be set during registion (calling the /api/auth/local/register route).

For this vulnerability, we opted not to construct any IoCs since generally, it required manual user input for some custom fields but if you are unsure review your users-permissions content-type for any fields you added and check your registered users to confirm which fields have data in them and if they should.

For additional details on how to configure the allowed fields in this version please see the following documentation.

Timeline for CVE-2023-39345

TimeEvent
2023/06/19 01:22am GMTReport of the vulnerability received by the Strapi Security Team
2023/07/07 06:04pm GMTVulnerability report was accepted by the Strapi Team
2023/07/20 04:43pm GMTAn experimental release was made with the changes communicated previously for testing
2023/08/04 06:45pm GMTGitHub issued CVE-2023-39345 per our request
2023/08/30 03:20pm GMTPatch was released in Strapi version v4.13.1
2023/08/31 10:44pm GMTInitial warning email was sent out to all Strapi Enterprise and Cloud Customers including Strapi partners with active enterprise contracts
2023/08/31 10:44pm GMTMandatory waiting period of 2 weeks initiated
2023/09/13 05:00pm GMTReleased the full disclosure of the vulnerability and published GitHub Advisories
2023/09/13 08:00pm GMTDisclosure email was sent out to all Strapi Enterprise and Cloud Customers, including Strapi partners with active enterprise contracts

Commitment to Responsible Disclosure

We at Strapi do believe in responsible disclosure. In the case of these vulnerabilities, we have worked with the security researcher to ensure that the vulnerabilities were patched before the full disclosure of the vulnerabilities. Once a vulnerability is patched, we added a notice to our release notes to inform users there was a security vulnerability but initially wanted to delay detailed disclosure for a few weeks to give time for users to upgrade before the release of the full disclosure. As an additional step, we immediately notified our customers via several emails beforehand to ensure they were aware of the vulnerabilities and to upgrade their Strapi servers.

In this case, we believe that delaying the detailed disclosure was important to ensure that users had the time required to upgrade their Strapi servers before making the details of each vulnerability public, thus placing that information in the hands of bad actors. We also believe that the security researcher was very professional and responsible in handling the vulnerabilities, and we are very thankful for their work in helping us improve the security of Strapi.

We urge anyone who believes they have discovered a security vulnerability to assist us in responsibly disclosing the vulnerability to us by submitting a GitHub Advisory on our main repo or by contacting our security team via security@strapi.io.

Thanks,

The Strapi Security Team

Derrick Mehaffy Support Engineer Team Lead
Security Disclosure of Vulnerabilities for June
Security & Privacy·8 min read

Security Disclosure of Vulnerabilities: CVE-2024-31217, CVE-2024-29181, and CVE-2024-34065 for June 2024

This article details and discloses four security vulnerabilities and recommends immediate upgrading to fix them.

·June 12, 2024
API security
Security & PrivacyBeginner·11 min read

Best Practices of API Security in Strapi

Learn about the best practices for API security in Strapi to protect your data from potential threats and vulnerabilities.

·August 9, 2023
Security Disclosure of Vulnerabilities_ CVE-2023-34235 and CVE-2023-34093
Security & Privacy·6 min read

Security Disclosure of Vulnerabilities: CVE-2023-34235 and CVE-2023-34093

This article details and discloses two security vulnerabilities and recommends immediate upgrading to fix them.

·July 25, 2023