Strapi CORS Misconfiguration Vulnerability Allowing Credentialed Requests

A CORS misconfiguration vulnerability has been identified in Strapi, an open-source headless content management system, affecting versions prior to 5.20.0. In default installations, Strapi improperly reflects the Origin header value in the Access-Control-Allow-Origin response header without adequate validation or whitelisting. This flaw enables an attacker-controlled site to send credentialed requests to the Strapi backend. Exploitation involves hosting a malicious site on a different origin, such as a different port, and sending requests with credentials to the Strapi API.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive data by allowing an attacker to send credentialed requests to the Strapi backend, potentially accessing protected resources or APIs.

Remediation

Users are advised to update Strapi to version 5.20.0 or later. Additionally, it is recommended to explicitly whitelist trusted origins and avoid reflecting dynamic origins in the CORS configuration.