CVE-2025-64526
CVE-2025-64526 is a medium-severity vulnerability in Strapi with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-307.
Key facts
- Severity: Medium (CVSS 3.x base score 5.3)
- CVSS v4: 6.9
- EPSS exploit prediction: 0% (39th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-209860
- Weakness: CWE-307
- Affected product: Strapi
- Published:
- Last modified:
Description
Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from `ctx.request.body.email`, including on routes whose body schema does not contain an `email` field (`/auth/local`, `/auth/reset-password`, `/auth/change-password`). An unauthenticated attacker could include an arbitrary `email` value in the request body to obtain a fresh rate-limit key per request, effectively bypassing per-IP throttling on those routes and enabling high-volume credential brute-force, password-reset code brute-force, and credential-stuffing attempts. The rate-limit key was constructed as `${userIdentifier}:${requestPath}:${ctx.request.ip}`, where `userIdentifier = ctx.request.body.email`. On routes that legitimately use email as their identifier (e.g. `/auth/forgot-password`, `/auth/local/register`), this scoping is correct. On routes that use a different identifier (`identifier` for login, `code` for password reset, `currentPassword` for password change), the email field was not part of the route contract, but the middleware still incorporated it into the key, allowing a caller to rotate the value and obtain a unique key on every request. The patch in version 5.45.0 maintains an allow-list of routes that legitimately key on the email field and excludes that key component on every other route the middleware is mounted on. OAuth callback paths (`/connect/*`) are treated identifier-less. On routes outside the allow-list, the middleware now falls back to a fixed identifier-less key, ensuring per-IP throttling remains effective even when the request body is attacker-controlled.
Frequently asked questions
- What is CVE-2025-64526?
- Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from `ctx.request.body.email`, including on routes whose body schema does not contain an `email` field (`/auth/local`, `/auth/reset-password`, `/auth/change-password`). An unauthenticated attacker could include an arbitrary `email` value in the request body to obtain a fresh rate-limit key per request, effectively bypassing per-IP throttling on those routes and enabling high-volume credential brute-force, password-reset code brute-force, and credential-stuffing attempts. The rate-limit key was constructed as `${userIdentifier}:${requestPath}:${ctx.request.ip}`, where `userIdentifier = ctx.request.body.email`. On routes that legitimately use email as their identifier (e.g. `/auth/forgot-password`, `/auth/local/register`), this scoping is correct. On routes that use a different identifier (`identifier` for login, `code` for password reset, `currentPassword` for password change), the email field was not part of the route contract, but the middleware still incorporated it into the key, allowing a caller to rotate the value and obtain a unique key on every request. The patch in version 5.45.0 maintains an allow-list of routes that legitimately key on the email field and excludes that key component on every other route the middleware is mounted on. OAuth callback paths (`/connect/*`) are treated identifier-less. On routes outside the allow-list, the middleware now falls back to a fixed identifier-less key, ensuring per-IP throttling remains effective even when the request body is attacker-controlled.
- How severe is CVE-2025-64526?
- CVE-2025-64526 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability low.
- Is CVE-2025-64526 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (39th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-64526?
- CVE-2025-64526 affects Strapi. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-64526?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-64526 have an EU (EUVD) identifier?
- Yes. CVE-2025-64526 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-209860.
- When was CVE-2025-64526 published?
- CVE-2025-64526 was published on 2026-05-14 and last updated on 2026-06-17.
References
- https://github.com/strapi/strapi/commit/5e0d243cba9830e6f791de6a94798bcde51468db
- https://github.com/strapi/strapi/pull/24818
- https://github.com/strapi/strapi/releases/tag/v5.45.0
- https://github.com/strapi/strapi/security/advisories/GHSA-7mqx-wwh4-f9fw
Affected products (1)
- cpe:2.3:a:strapi:strapi:*:*:*:*:*:node.js:*:*
More vulnerabilities in Strapi
- CVE-2022-27263 — Critical (CVSS 9.8): An arbitrary file upload vulnerability in the file upload module of Strapi v4.1.5 allows attackers to execute arbitrary…
- CVE-2020-27664 — Critical (CVSS 9.8): admin/src/containers/InputModalStepperProvider/index.js in Strapi before 3.2.5 has unwanted /proxy?url= functionality.
- CVE-2019-18818 — Critical (CVSS 9.8): strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and…
- CVE-2022-31367 — High (CVSS 8.8): Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses.
- CVE-2022-32114 — High (CVSS 8.8): An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct…
- CVE-2022-30617 — High (CVSS 8.8): An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and…
Other CWE-307 (Improper Restriction of Excessive Authentication Attempts) vulnerabilities
- CVE-2026-6853 — Critical (CVSS 9.8): Improper restriction of excessive authentication attempts vulnerability in Başbelen Group Food Cafe Businesses…
- CVE-2026-8760 — Critical (CVSS 9.8): The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including,…
- CVE-2020-37228 — Critical (CVSS 9.8): iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability that allows attackers to bypass…
- CVE-2026-33879 — Critical (CVSS 9.8): Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and…
- CVE-2026-33640 — Critical (CVSS 9.8): Outline is a service that allows for collaborative documentation. Outline implements an Email OTP login flow for users…
- CVE-2026-31851 — Critical (CVSS 9.8): Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement rate limiting or account lockout…
Browse all CWE-307 (Improper Restriction of Excessive Authentication Attempts) vulnerabilities →