Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin
- Severity:
- High
Description
Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server.
Recommendation
Update the @strapi/plugin-users-permissions package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.5.6
- Patched version(s): 4.5.6
References
- GHSA-2h87-4q2w-v4hf
- strapi.io
- www.ghostccamm.com
- CVE-2023-22621
- CWE-74
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin (GHSA-2h87-4q2w-v4hf) - CVE-2023-22621
- Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution - CVE-2023-36475
- @strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass - CVE-2024-34065
- Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package - CVE-2025-68619
- Tags:
- npm
- @strapi/plugin-users-permissions
Anything's wrong? Let us know Last updated on November 07, 2023