CVE-2025-64526

Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from ctx.request.body.email, including on routes whose body schema does not contain an email field...

GHSA-7MQX-WWH4-F9FW Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying

Summary of CVE-2025-64526 Vulnerability Details - CVE: CVE-2025-64526 - CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N 6.9 — Medium - Affected Versions: @strapi/plugin-users-permissions =5.45.0 Description of CVE-2025-64526 In Strapi versions prior to 5.45.0, th...