logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-52588 @strapi/admin

Package

Manager: npm
Name: @strapi/admin
Vulnerable Version: >=0 <4.25.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00059 pctl0.18484

Details

Strapi allows Server-Side Request Forgery in Webhook function ## Description In Strapi latest version, at function Settings -> Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as `localhost`, `127.0.0.1`, `0.0.0.0`,.... in order to make the Application fetching into the internal itself, which causes the vulnerability `Server - Side Request Forgery (SSRF)`. ## Payloads - `http://127.0.0.1:80` -> `The Port is not open` - `http://127.0.0.1:1337` -> `The Port which Strapi is running on` ## Steps to Reproduce - First of all, let's input the URL `http://127.0.0.1:80` into the `URL` field, and click "Save". ![CleanShot 2024-06-04 at 22 45 17@2x](https://github.com/strapi/strapi/assets/71650574/7336b817-cb61-41e6-9b3f-87151d8667e9) - Next, use the "Trigger" function and use Burp Suite to capture the request / response ![CleanShot 2024-06-04 at 22 47 50@2x](https://github.com/strapi/strapi/assets/71650574/659f1bbe-6b03-456c-a9c2-5187fca20dd6) - The server return `request to http://127.0.0.1/ failed, reason: connect ECONNREFUSED 127.0.0.1:80`, BECAUSE the `Port 80` is not open, since we are running Strapi on `Port 1337`, let's change the URL we input above into `http://127.0.0.1:1337` ![CleanShot 2024-06-04 at 22 50 13@2x](https://github.com/strapi/strapi/assets/71650574/a7916c86-1923-49ed-bd43-a70fa00d41e9) - Continue to click the "Trigger" function, use Burp to capture the request / response ![CleanShot 2024-06-04 at 22 53 25@2x](https://github.com/strapi/strapi/assets/71650574/6fc51bb7-5a66-4b2b-b24f-2eba45ba1db9) - The server returns `Method Not Allowed`, which means that there actually is a `Port 1337` running the machine. ## PoC Here is the Poc Video, please check: https://drive.google.com/file/d/1EvVp9lMpYnGLmUyr16gQ_2RetI-GqYjV/view?usp=sharing ## Impact - If there is a real server running Strapi with many ports open, by using this SSRF vulnerability, the attacker can brute-force through all 65535 ports to know what ports are open.

Metadata

Created: 2025-05-27T17:59:52Z
Modified: 2025-05-29T21:03:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-v8wj-f5c7-pvxf/GHSA-v8wj-f5c7-pvxf.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-v8wj-f5c7-pvxf
Finding: F100
Auto approve: 1