Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-3rtq-tkck-w3gf
Vulnerability ID VCID-3rtq-tkck-w3gf
Aliases CVE-2024-52588
GHSA-v8wj-f5c7-pvxf
Summary Strapi is an open-source content management system. Prior to version 4.25.2, inputting a local domain into the Webhooks URL field leads to the application fetching itself, resulting in a server side request forgery (SSRF). This issue has been patched in version 4.25.2.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-918 Server-Side Request Forgery (SSRF)
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00321 https://api.first.org/data/v1/epss?cve=CVE-2024-52588
cvssv3.1 4.9 https://github.com/strapi/strapi
generic_textual MODERATE https://github.com/strapi/strapi
cvssv3.1 4.9 https://github.com/strapi/strapi/security/advisories/GHSA-v8wj-f5c7-pvxf
generic_textual MODERATE https://github.com/strapi/strapi/security/advisories/GHSA-v8wj-f5c7-pvxf
ssvc Track https://github.com/strapi/strapi/security/advisories/GHSA-v8wj-f5c7-pvxf
cvssv3.1 4.9 https://nvd.nist.gov/vuln/detail/CVE-2024-52588
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2024-52588
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-52588
https://nvd.nist.gov/vuln/detail/CVE-2024-52588
GHSA-v8wj-f5c7-pvxf https://github.com/advisories/GHSA-v8wj-f5c7-pvxf
GHSA-v8wj-f5c7-pvxf https://github.com/strapi/strapi/security/advisories/GHSA-v8wj-f5c7-pvxf
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/strapi/strapi
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/strapi/strapi/security/advisories/GHSA-v8wj-f5c7-pvxf
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-29T13:44:22Z/ Found at https://github.com/strapi/strapi/security/advisories/GHSA-v8wj-f5c7-pvxf
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-52588
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.55516
EPSS Score 0.00321
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-10T18:35:01.156261+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2024/52xxx/CVE-2024-52588.json 38.6.0