VulnerableCode Package Details - pkg:npm/%40strapi/plugin-users-permissions@4.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-jpqv-dukr-fyhu Aliases: CVE-2023-39345 GHSA-gc7p-j5xm-xxh2	Unauthorized Access to Private Fields in User Registration API ### System Details \| Name \| Value \| \|----------\|------------------------\| \| OS \| Windows 11 \| \| Version \| 4.11.1 (node v16.14.2) \| \| Database \| mysql \| ### Description I marked some fields as private fields in user content-type, and tried to register as a new user via api, at the same time I added content to fill the private fields and sent a post request, and as you can see from the images below, I can write to the private fields. To prevent this, I went to the extension area and tried to extend the register method, for this I wanted to do it using the sanitizeInput function that I know in the source codes of the strap. But the sanitizeInput function does not filter out private fields. ```js const { auth } = ctx.state; const data = ctx.request.body; const userSchema = strapi.getModel("plugin::users-permissions.user"); sanitize.contentAPI.input(data, userSchema, { auth }); ``` here's the solution I've temporarily kept to myself, code snippet ```js const body = ctx.request.body; const { attributes } = strapi.getModel("plugin::users-permissions.user"); const sanitizedData = _.omitBy(body, (data, key) => { const attribute = attributes[key]; if (_.isNil(attribute)) { return false; } //? If you want, you can throw an error for fields that we does not expect. // if (_.isNil(attribute)) // throw new ApplicationError(`Unexpected value ${key}`); // if private value is true, we do not want to send it to the database. return attribute.private; }); return sanitizedData; ```	4.13.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-jpqv-dukr-fyhu
Aliases:
CVE-2023-39345
GHSA-gc7p-j5xm-xxh2

Unauthorized Access to Private Fields in User Registration API ### System Details | Name | Value | |----------|------------------------| | OS | Windows 11 | | Version | 4.11.1 (node v16.14.2) | | Database | mysql | ### Description I marked some fields as private fields in user content-type, and tried to register as a new user via api, at the same time I added content to fill the private fields and sent a post request, and as you can see from the images below, I can write to the private fields. To prevent this, I went to the extension area and tried to extend the register method, for this I wanted to do it using the sanitizeInput function that I know in the source codes of the strap. But the sanitizeInput function does not filter out private fields. ```js const { auth } = ctx.state; const data = ctx.request.body; const userSchema = strapi.getModel("plugin::users-permissions.user"); sanitize.contentAPI.input(data, userSchema, { auth }); ``` here's the solution I've temporarily kept to myself, code snippet ```js const body = ctx.request.body; const { attributes } = strapi.getModel("plugin::users-permissions.user"); const sanitizedData = _.omitBy(body, (data, key) => { const attribute = attributes[key]; if (_.isNil(attribute)) { return false; } //? If you want, you can throw an error for fields that we does not expect. // if (_.isNil(attribute)) // throw new ApplicationError(`Unexpected value ${key}`); // if private value is true, we do not want to send it to the database. return attribute.private; }); return sanitizedData; ```

4.13.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:46:14.833876+00:00	GitLab Importer	Affected by	VCID-jpqv-dukr-fyhu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@strapi/plugin-users-permissions/CVE-2023-39345.yml	38.6.0

2026-06-02T04:46:14.833876+00:00

GitLab Importer

Affected by

VCID-jpqv-dukr-fyhu

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@strapi/plugin-users-permissions/CVE-2023-39345.yml

38.6.0

Next non-vulnerable version	4.5.6
Latest non-vulnerable version	4.13.1
Risk