Strapi Allows Unauthorized Access to Private Fields via parms.lookup

Description

It’s possible to access any private fields by filtering through the lookup parameters

Recommendation

Update the @strapi/core package to the latest compatible version. Followings are version details:

• Affected version(s): >= 5.0.0, < 5.5.2
• Patched version(s): 5.5.2

References

• GHSA-495j-h493-42q2
• CVE-2024-56143
• CWE-639
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Unauthorized Access to Private Fields in User Registration API - @strapi/plugin-users-permissions - CVE-2023-39345
• Unauthorized Access to Private Fields in User Registration API - CVE-2023-39345
• Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover - @haxtheweb/video-player - CVE-2026-46396
• Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover - CVE-2026-46396

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

@strapi/core