الثغرات ›

CVE-2025-64526

متوسط

CWE-307 — نوع الضعف

                    نُشر: May 14, 2026                      ·  آخر تحديث: May 17, 2026                      ·  المصدر: NVD                

CVSS v3

5.3

🔗 NVD الرسمي

📄 الوصف (الإنجليزية)

Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from `ctx.request.body.email`, including on routes whose body schema does not contain an `email` field (`/auth/local`, `/auth/reset-password`, `/auth/change-password`). An unauthenticated attacker could include an arbitrary `email` value in the request body to obtain a fresh rate-limit key per request, effectively bypassing per-IP throttling on those routes and enabling high-volume credential brute-force, password-reset code brute-force, and credential-stuffing attempts. The rate-limit key was constructed as `${userIdentifier}:${requestPath}:${ctx.request.ip}`, where `userIdentifier = ctx.request.body.email`. On routes that legitimately use email as their identifier (e.g. `/auth/forgot-password`, `/auth/local/register`), this scoping is correct. On routes that use a different identifier (`identifier` for login, `code` for password reset, `currentPassword` for password change), the email field was not part of the route contract, but the middleware still incorporated it into the key, allowing a caller to rotate the value and obtain a unique key on every request. The patch in version 5.45.0 maintains an allow-list of routes that legitimately key on the email field and excludes that key component on every other route the middleware is mounted on. OAuth callback paths (`/connect/*`) are treated identifier-less. On routes outside the allow-list, the middleware now falls back to a fixed identifier-less key, ensuring per-IP throttling remains effective even when the request body is attacker-controlled.

🤖 ملخص AI

Strapi versions prior to 5.45.0 contain a rate-limit bypass vulnerability in the users-permissions plugin that allows unauthenticated attackers to circumvent per-IP throttling on authentication routes by manipulating the email field in request bodies. This enables high-volume brute-force attacks against login, password reset, and password change endpoints. The vulnerability affects organizations using Strapi as their headless CMS, particularly those exposing authentication endpoints to the internet without additional rate-limiting controls.

📄 الوصف (العربية)

🤖 التحليل الذكي آخر تحليل: May 29, 2026 16:43

🇸🇦 التأثير على المملكة العربية السعودية

Saudi organizations using Strapi for content management and authentication systems are at risk, particularly in the banking sector (for customer-facing portals), government digital transformation initiatives, healthcare platforms, and e-commerce operations. The vulnerability enables credential brute-force attacks against user accounts, password reset code enumeration, and credential-stuffing campaigns. Organizations under SAMA oversight managing customer authentication systems face elevated risk of unauthorized account access and potential data breaches. Telecom and digital service providers (STC, Mobily, Zain) using Strapi for customer portals are particularly vulnerable to account takeover attacks.

🏢 القطاعات السعودية المتأثرة

Banking and Financial Services Government and Public Sector Healthcare and Medical Services Telecommunications E-commerce and Retail Media and Publishing Education Energy and Utilities

🎯 تقنيات MITRE ATT&CK

T1110 - Brute Force T1110.001 - Brute Force: Password Guessing T1110.004 - Brute Force: Credential Stuffing T1078 - Valid Accounts T1078.001 - Valid Accounts: Default Accounts T1021 - Remote Services T1190 - Exploit Public-Facing Application

⚖️ درجة المخاطر السعودية (AI)

6.8

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify all Strapi instances in your environment and determine their version (check package.json or admin panel)

2. If running Strapi < 5.45.0, immediately upgrade to version 5.45.0 or later

3. Review authentication logs for suspicious patterns: multiple failed login attempts from different IPs with varying email values, rapid password reset requests, or unusual password change attempts

Patching Guidance:

1. Test the upgrade in a non-production environment first

2. Back up your Strapi database and configuration before upgrading

3. Run npm update or yarn upgrade to pull version 5.45.0+

4. Restart Strapi services after upgrade

5. Verify rate-limiting is functioning by testing authentication endpoints

Compensating Controls (if immediate patching is delayed):

1. Implement WAF rules to detect and block requests with rapidly changing email values to /auth/* endpoints

2. Deploy reverse proxy rate-limiting at the infrastructure level (nginx, HAProxy) with per-IP limits on /auth/local, /auth/reset-password, /auth/change-password

3. Implement CAPTCHA on authentication forms to prevent automated attacks

4. Monitor for brute-force patterns: alert on >5 failed login attempts per IP per minute

5. Enable account lockout after 5 failed login attempts for 15 minutes

Detection Rules:

1. Alert on requests to /auth/local, /auth/reset-password, /auth/change-password with email field values that change on every request from the same source IP

2. Monitor for >10 requests per second to authentication endpoints from single IP

3. Flag password reset requests with >3 different email values from same IP within 5 minutes

4. Detect credential stuffing patterns: multiple failed logins followed by successful login with different credentials

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حدد جميع مثيلات Strapi في بيئتك وحدد إصدارها (تحقق من package.json أو لوحة المسؤول)

2. إذا كنت تقوم بتشغيل Strapi < 5.45.0، قم بالترقية فوراً إلى الإصدار 5.45.0 أو أحدث

3. راجع سجلات المصادقة للبحث عن أنماط مريبة: محاولات تسجيل دخول فاشلة متعددة من عناوين IP مختلفة بقيم بريد إلكتروني متغيرة

إرشادات التصحيح:

1. اختبر الترقية في بيئة غير إنتاجية أولاً

2. قم بعمل نسخة احتياطية من قاعدة بيانات Strapi والإعدادات قبل الترقية

3. قم بتشغيل npm update أو yarn upgrade لسحب الإصدار 5.45.0+

4. أعد تشغيل خدمات Strapi بعد الترقية

5. تحقق من أن تحديد المعدل يعمل بشكل صحيح عن طريق اختبار نقاط نهاية المصادقة

عناصر التحكم البديلة (إذا تأخر التصحيح الفوري):

1. تنفيذ قواعد WAF للكشف عن الطلبات ذات قيم البريد الإلكتروني المتغيرة بسرعة إلى نقاط نهاية /auth/* وحظرها

2. نشر تحديد معدل وكيل عكسي على مستوى البنية الأساسية (nginx، HAProxy) مع حدود لكل IP

3. تنفيذ CAPTCHA على نماذج المصادقة

4. مراقبة أنماط القوة الغاشمة: تنبيه عند >5 محاولات تسجيل دخول فاشلة لكل IP في الدقيقة

5. تفعيل قفل الحساب بعد 5 محاولات تسجيل دخول فاشلة لمدة 15 دقيقة

قواعد الكشف:

1. تنبيه على الطلبات إلى /auth/local و /auth/reset-password و /auth/change-password بقيم حقل البريد الإلكتروني التي تتغير في كل طلب من نفس IP المصدر

2. مراقبة >10 طلبات في الثانية إلى نقاط نهاية المصادقة من IP واحد

3. وضع علامة على طلبات إعادة تعيين كلمة المرور بـ >3 قيم بريد إلكتروني مختلفة من نفس IP خلال 5 دقائق

4. الكشف عن أنماط حشو بيانات الاعتماد: محاولات تسجيل دخول متعددة فاشلة متبوعة بتسجيل دخول ناجح

📋 خريطة الامتثال التنظيمي

🟢 NCA ECC 2024

A.5.1.1 - Information security policies and procedures A.5.2.1 - User access management and authentication controls A.5.3.1 - Access control implementation A.6.1.1 - Cryptography and authentication mechanisms A.7.1.1 - Event logging and monitoring

🔵 SAMA CSF

ID.AM-2 - Software, platforms, and applications are inventoried PR.AC-1 - Identities and credentials are issued, managed, verified, revoked, and audited PR.AC-6 - Access control policies are enforced DE.CM-1 - The network is monitored to detect potential cybersecurity events DE.AE-1 - A baseline of network operations and expected data flows for users and systems is established and managed

🟡 ISO 27001:2022

A.5.1.1 - Policies for information security A.6.1.2 - Access to information and other associated assets A.6.2.1 - User registration and de-registration A.6.2.2 - User access provisioning A.8.1.1 - Audit logging A.8.2.1 - Information transfer policies and procedures A.8.3.1 - Segregation of duties

🟣 PCI DSS v4.0.1

Requirement 2.1 - Configuration standards for system components Requirement 6.2 - Security patches and updates Requirement 8.1 - User identification and authentication Requirement 8.2 - Secure authentication methods Requirement 8.5 - Access control and user authentication

🔗 المراجع والمصادر 4

🔗

https://github.com/strapi/strapi/commit/5e0d243cba9830e6f791de6a94798bcde51468db

security-advisories@github.com

Patch

🔗

https://github.com/strapi/strapi/pull/24818

security-advisories@github.com

Issue Tracking

🔗

https://github.com/strapi/strapi/releases/tag/v5.45.0

security-advisories@github.com

Patch Product

🔗

https://github.com/strapi/strapi/security/advisories/GHSA-7mqx-wwh4-f9fw

security-advisories@github.com

Vendor Advisory

📦 المنتجات المتأثرة 1 منتج

strapi:strapi

📊 CVSS Score

5.3

/ 10.0 — متوسط

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityN — None / Network

AvailabilityL — Low / Local

📋 حقائق سريعة

الخطورة متوسط

CVSS Score5.3

CWECWE-307

EPSS0.01%

اختراق متاح لا

تصحيح متاح ✓ نعم

تاريخ النشر 2026-05-14

المصدر nvd

المشاهدات 2

🇸🇦 درجة المخاطر السعودية

6.8

/ 10.0 — مخاطر السعودية

أولوية: HIGH

🏷️ الوسوم

patch-available CWE-307

🏢 توجيهات البائع

🔗 https://github.com/strapi/strapi/security/advisories...

⚡ إجراءات

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2025-64526

عرّفنا بنفسك

تسجيل الدخول مطلوب