@strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass

Severity:: High

Description

By combining two vulnerabilities (an Open Redirect and session token sent as URL query parameter) in Strapi framework is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click).

Recommendation

Update the @strapi/plugin-users-permissions package to the latest compatible version. Followings are version details:

Affected version(s): < 4.24.2
Patched version(s): 4.24.2

References

GHSA-wrvh-rcmr-9qfc
CVE-2024-34065
CWE-294
CWE-601
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6
OWASP 2021-A7

Related Issues

Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying - CVE-2025-64526
Authentication Bypass in @strapi/plugin-users-permissions - Vulnerability
Unauthorized Access to Private Fields in User Registration API - @strapi/plugin-users-permissions - CVE-2023-39345
Strapi: Password Reset Does Not Revoke Existing Refresh Sessions - @strapi/plugin-users-permissions - CVE-2026-22706

How do hackers hack websites?

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

Update Cheat Sheet for Developers

Tags:: npm; @strapi/plugin-users-permissions

Anything's wrong? Let us know Last updated on November 20, 2024