Advisories for Npm/@Strapi/Admin package

2025

Strapi allows Server-Side Request Forgery in Webhook function

In Strapi latest version, at function Settings -> Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as localhost, 127.0.0.1, 0.0.0.0,…. in order to make the Application fetching into the internal itself, which causes the vulnerability Server - Side Request Forgery (SSRF).

2023

Strapi may leak sensitive user information, user reset password, tokens via content-manager views

Attackers can get access to user reset password tokens if they have the configure view permissions.

Strapi Improper Rate Limiting vulnerability

Summary There is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. 2. Details It is possible to avoid this by modifying the rate-limited request path as follows. Manipulating request paths to upper or lower case. (Pattern 1) In this case, avoidance is possible with various patterns. Add path slashes to the end of the request path. (Pattern 2) 3. …