CVE-2025-53092

MEDIUM EPSS 17.6%

Published Oct 16, 20258mo ago · Modified Jun 17, 20261w ago

6.5 CVSS 3.1

Medium

Published Oct 16, 2025 8mo ago

Last Modified Jun 17, 2026 1w ago

Description

Strapi is an open source headless content management system. Strapi versions prior to 5.20.0 contain a CORS misconfiguration vulnerability in default installations. By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header without proper validation or whitelisting. This allows an attacker-controlled site to send credentialed requests to the Strapi backend. An attacker can exploit this by hosting a malicious site on a different origin (e.g., different port) and sending requests with credentials to the Strapi API. The vulnerability is fixed in version 5.20.0. No known workarounds exist.

CVSS Details

Base Score

6.5

Exploitability

2.8

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction Required

Scope Unchanged

Confidentiality High

Integrity None

Availability None

Threat Intelligence

EPSS Exploit Probability

17.6% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 4

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure

CWE-284

CWE-364

CWE-942

Affected Products 1

Vendor	Product	Version	Range
strapi	strapi	*	<5.20.0

References 1

github.com https://github.com/strapi/strapi/security/advisories/GHSA-9329-mxxw-qwf8

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.