Strapi core vulnerable to sensitive data exposure via CORS misconfiguration
- Severity:
- High
Description
A CORS misconfiguration vulnerability exists in default installations of Strapi where attacker-controlled origins are improperly reflected in API responses.
Recommendation
Update the @strapi/core package to the latest compatible version. Followings are version details:
- Affected version(s): < 5.20.0
- Patched version(s): 5.20.0
References
- GHSA-9329-mxxw-qwf8
- CVE-2025-53092
- CWE-200
- CWE-284
- CWE-364
- CWE-942
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A5
- OWASP 2021-A6
Related Issues
- BrowserStack Local vulnerable to Command Injection through logfile variable - CVE-2025-57283
- DOM Clobbering Gadget found in astro's client-side router that leads to XSS - CVE-2024-47885
- Strapi Allows Unauthorized Access to Private Fields via parms.lookup - CVE-2024-56143
- Webrecorder packages are vulnerable to XSS through 404 error handling logic - CVE-2025-58765
- Tags:
- npm
- @strapi/core
Anything's wrong? Let us know Last updated on January 29, 2026