Npm/@Strapi/Core | GitLab Advisory Database

Strapi Password Hashing Missing Maximum Password Length Validation

Strapi's password hashing implementation using bcryptjs lacks maximum password length validation. Since bcryptjs truncates passwords exceeding 72 bytes, this creates potential vulnerabilities such as authentication bypass and performance degradation.

Strapi core vulnerable to sensitive data exposure via CORS misconfiguration

A CORS misconfiguration vulnerability exists in default installations of Strapi where attacker-controlled origins are improperly reflected in API responses.

Strapi Allows Unauthorized Access to Private Fields via parms.lookup

It's possible to access any private fields by filtering through the lookup parameters

Advisories for Npm/@Strapi/Core package