Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying

Description

No description available.

Recommendation

Update the @strapi/plugin-users-permissions package to the latest compatible version. Followings are version details:

• Affected version(s): <= 5.44.0
• Patched version(s): 5.45.0

References

• GHSA-7mqx-wwh4-f9fw
• CVE-2025-64526
• CWE-307
• CAPEC-310
• OWASP 2021-A6
• OWASP 2021-A7

Related Issues

• Strapi Improper Rate Limiting vulnerability - @strapi/plugin-users-permissions - CVE-2023-38507
• @strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass - CVE-2024-34065
• Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin - CVE-2023-22621
• Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin - @strapi/plugin-email - CVE-2023-22621

You might also like:

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

@strapi/plugin-users-permissions