CVE-2025-53092

Strapi is an open source headless content management system. Strapi versions prior to 5.20.0 contain a CORS misconfiguration vulnerability in default installations. By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header without proper validation or whitelisting. This allows an attacker-controlled site to send credentialed requests to the Strapi backend. An attacker can exploit this by hosting a malicious site on a different origin (e.g., different port) and sending requests with credentials to the Strapi API. The vulnerability is fixed in version 5.20.0. No known workarounds exist.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/strapi/strapi/security/advisories/GHSA-9329-mxxw-qwf8	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*

History

25 Nov 2025, 15:54

Type	Values Removed	Values Added
CPE		cpe:2.3:a:strapi:strapi::::::::
First Time		Strapi strapi Strapi
References	~~() https://github.com/strapi/strapi/security/advisories/GHSA-9329-mxxw-qwf8 -~~	() https://github.com/strapi/strapi/security/advisories/GHSA-9329-mxxw-qwf8 - Vendor Advisory

16 Oct 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-10-16 17:15

Updated : 2025-11-25 18:44

NVD link : CVE-2025-53092

Mitre link : CVE-2025-53092

CVE.ORG link : CVE-2025-53092

JSON object : View

Products Affected

strapi

strapi

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-284

Improper Access Control

CWE-364

Signal Handler Race Condition

CWE-942

Permissive Cross-domain Policy with Untrusted Domains

6.5 /10