Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-9329-mxxw-qwf8: Strapi core vulnerable to sensitive data exposure via CORS misconfiguration

Summary

A CORS misconfiguration vulnerability exists in default installations of Strapi where attacker-controlled origins are improperly reflected in API responses.

Technical Details

By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header without proper validation or whitelisting.

Example: Origin: http://localhost:8888 Access-Control-Allow-Origin: http://localhost:8888 Access-Control-Allow-Credentials: true

This allows an attacker-controlled site (on a different port, like 8888) to send credentialed requests to the Strapi backend on 1337.

Suggested Fix

  1. Explicitly whitelist trusted origins
  2. Avoid reflecting dynamic origins
ghsa
Open in Source
#vulnerability#web#nodejs#git#intel#perl

Skip to content

Navigation Menu

    • GitHub Copilot

      Write better code with AI

    • GitHub Spark New

      Build and deploy intelligent apps

    • GitHub Models New

      Manage and compare prompts

    • GitHub Advanced Security

      Find and fix vulnerabilities

    • Actions

      Automate any workflow

*   Codespaces
    
    Instant dev environments
    
*   Issues
    
    Plan and track work
    
*   Code Review
    
    Manage code changes
    
*   Discussions
    
    Collaborate outside of code
    
*   Code Search
    
    Find more, search less
    

View all features

  • Explore

    • Learning Pathways
    • Events & Webinars
    • Ebooks & Whitepapers
    • Customer Stories
    • Partners
    • Executive Insights

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles

    • Enterprise platform

      AI-powered developer platform

  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

Appearance settings

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2025-53092

Strapi core vulnerable to sensitive data exposure via CORS misconfiguration

Moderate severity GitHub Reviewed Published Oct 16, 2025 in strapi/strapi • Updated Oct 16, 2025

Package

npm @strapi/core (npm)

Affected versions

< 5.20.0

Description

Summary

A CORS misconfiguration vulnerability exists in default installations of Strapi where attacker-controlled origins are improperly reflected in API responses.

Technical Details

By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header without proper validation or whitelisting.

Example:
Origin: http://localhost:8888
Access-Control-Allow-Origin: http://localhost:8888
Access-Control-Allow-Credentials: true

This allows an attacker-controlled site (on a different port, like 8888) to send credentialed requests to the Strapi backend on 1337.

Suggested Fix

  1. Explicitly whitelist trusted origins
  2. Avoid reflecting dynamic origins

References

  • GHSA-9329-mxxw-qwf8
  • https://nvd.nist.gov/vuln/detail/CVE-2025-53092
  • strapi/strapi@6e535cb756
  • https://github.com/strapi/strapi/releases/tag/v5.20.0

Published to the GitHub Advisory Database

Oct 16, 2025

Last updated

Oct 16, 2025

EPSS score

ghsa: Latest News

GHSA-3g4j-r53p-22wx: Duplicate Advisory: FlowiseAI Pre-Auth Arbitrary Code Execution
ghsa