GHSA-7MQX-WWH4-F9FW

Vulnerability from github – Published: 2026-05-13 20:02 – Updated: 2026-05-13 20:02
VLAI?
Summary
Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying
Details

Summary of CVE-2025-64526 Vulnerability Details

  • CVE: CVE-2025-64526
  • CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N (6.9 — Medium)
  • Affected Versions: @strapi/plugin-users-permissions <=5.44.0
  • How to Patch: Immediately update your Strapi to >=5.45.0

Description of CVE-2025-64526

In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from ctx.request.body.email, including on routes whose body schema does not contain an email field (/auth/local, /auth/reset-password, /auth/change-password). An unauthenticated attacker could include an arbitrary email value in the request body to obtain a fresh rate-limit key per request, effectively bypassing per-IP throttling on those routes and enabling high-volume credential brute-force, password-reset code brute-force, and credential-stuffing attempts.

The rate-limit key was constructed as ${userIdentifier}:${requestPath}:${ctx.request.ip}, where userIdentifier = ctx.request.body.email. On routes that legitimately use email as their identifier (e.g. /auth/forgot-password, /auth/local/register), this scoping is correct. On routes that use a different identifier (identifier for login, code for password reset, currentPassword for password change), the email field was not part of the route contract, but the middleware still incorporated it into the key, allowing a caller to rotate the value and obtain a unique key on every request.

The patch maintains an allow-list of routes that legitimately key on the email field and excludes that key component on every other route the middleware is mounted on. OAuth callback paths (/connect/*) are treated identifier-less. On routes outside the allow-list, the middleware now falls back to a fixed identifier-less key, ensuring per-IP throttling remains effective even when the request body is attacker-controlled.

IoC's for CVE-2025-64526

Indicators that an instance running an unpatched version may have been exploited:

  • Unusually high volumes of POST requests to /api/auth/local, /api/auth/reset-password, or /api/auth/change-password from a single IP within a 5-minute window without 429 (Too Many Requests) responses
  • Request bodies on /api/auth/local containing both identifier AND email fields where email varies per request. Body shape regex: "identifier"\s*:\s*"[^"]*",\s*"email"\s*:\s*"[^"]*"
  • Request bodies on /api/auth/reset-password containing an unexpected email field alongside code. Body shape regex: "code"\s*:\s*"[^"]*",.*"email"\s*:
  • Server logs showing many distinct rate-limit key prefixes for the same IP+route combination within the rate-limit window
  • Successful authentication or password reset following hundreds of preceding 401/400 responses from the same IP
Severity ?
6.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.44.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@strapi/plugin-users-permissions"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.45.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64526"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-13T20:02:15Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary of CVE-2025-64526 Vulnerability Details\n\n- CVE: CVE-2025-64526\n- CVSS v3.1 Vector: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N` (6.9 \u2014 Medium)\n- Affected Versions: `@strapi/plugin-users-permissions` \u003c=5.44.0\n- How to Patch: Immediately update your Strapi to \u003e=5.45.0\n\n### Description of CVE-2025-64526\n\nIn Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from `ctx.request.body.email`, including on routes whose body schema does not contain an `email` field (`/auth/local`, `/auth/reset-password`, `/auth/change-password`). An unauthenticated attacker could include an arbitrary `email` value in the request body to obtain a fresh rate-limit key per request, effectively bypassing per-IP throttling on those routes and enabling high-volume credential brute-force, password-reset code brute-force, and credential-stuffing attempts.\n\nThe rate-limit key was constructed as `${userIdentifier}:${requestPath}:${ctx.request.ip}`, where `userIdentifier = ctx.request.body.email`. On routes that legitimately use email as their identifier (e.g. `/auth/forgot-password`, `/auth/local/register`), this scoping is correct. On routes that use a different identifier (`identifier` for login, `code` for password reset, `currentPassword` for password change), the email field was not part of the route contract, but the middleware still incorporated it into the key, allowing a caller to rotate the value and obtain a unique key on every request.\n\nThe patch maintains an allow-list of routes that legitimately key on the email field and excludes that key component on every other route the middleware is mounted on. OAuth callback paths (`/connect/*`) are treated identifier-less. On routes outside the allow-list, the middleware now falls back to a fixed identifier-less key, ensuring per-IP throttling remains effective even when the request body is attacker-controlled.\n\n### IoC\u0027s for CVE-2025-64526\n\nIndicators that an instance running an unpatched version may have been exploited:\n\n- Unusually high volumes of `POST` requests to `/api/auth/local`, `/api/auth/reset-password`, or `/api/auth/change-password` from a single IP within a 5-minute window without 429 (Too Many Requests) responses\n- Request bodies on `/api/auth/local` containing both `identifier` AND `email` fields where `email` varies per request. Body shape regex: `\"identifier\"\\s*:\\s*\"[^\"]*\",\\s*\"email\"\\s*:\\s*\"[^\"]*\"`\n- Request bodies on `/api/auth/reset-password` containing an unexpected `email` field alongside `code`. Body shape regex: `\"code\"\\s*:\\s*\"[^\"]*\",.*\"email\"\\s*:`\n- Server logs showing many distinct rate-limit key prefixes for the same IP+route combination within the rate-limit window\n- Successful authentication or password reset following hundreds of preceding 401/400 responses from the same IP",
  "id": "GHSA-7mqx-wwh4-f9fw",
  "modified": "2026-05-13T20:02:15Z",
  "published": "2026-05-13T20:02:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/security/advisories/GHSA-7mqx-wwh4-f9fw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/pull/24818"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/commit/5e0d243cba9830e6f791de6a94798bcde51468db"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/strapi/strapi"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/releases/tag/v5.45.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.