3 matches found
CVE-2025-64526 Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying
Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from ctx.request.body.email, including on routes whose body schema does not contain an email field...
CVE-2025-64526
CVE-2025-64526 (Strapi) affects the @strapi/plugin-users-permissions rate-limiting key construction. In Strapi versions prior to 5.45.0, the rate-limit middleware used the request body’s email field as part of the rate-limit key (userIdentifier = ctx.request.body.email), even on routes where the ...
@piksail/strapi-plugin-publish-coolify (=0.0.1), cypherscan-strapi (=0.1.1) +4 more potentially affected by CVE-2025-64526 via @strapi/plugin-users-permissions (>=5.11.0 <=5.42.1)
@strapi/plugin-users-permissions NPM version =5.11.0, =0.1.0, =0.1.4 - stronges =0.1.1 - test-lead =0.1.0 Source cves: CVE-2025-64526 Source advisory: SNYK:JS-STRAPIPLUGINUSERSPERMISSIONS-16683088...