Strapi Users-Permissions Plugin Rate Limit Bypass Vulnerability

A vulnerability exists in the Strapi users-permissions plugin, specifically in versions through 5.44.0, allowing for a rate limit bypass on certain authentication routes. The issue arises because the rate-limit middleware incorrectly includes `ctx.request.body.email` in the rate-limit key for routes that do not use email as an identifier. This flaw enables unauthenticated attackers to manipulate the email field and obtain a unique rate-limit key for each request, effectively circumventing per-IP throttling. As a result, attackers can launch high-volume brute-force attacks on credentials, password reset codes, and engage in credential stuffing.

Impact

Exploitation of this vulnerability allows for the bypass of rate limits on specific authentication routes, enabling high-volume brute-force attacks on user credentials and password reset processes.

Reproduction

To reproduce this vulnerability, send a POST request to one of the affected routes (`/auth/local`, `/auth/reset-password`, or `/auth/change-password`) without a valid email in the request body. Include an arbitrary email value in the body instead. The rate-limit middleware will process the request using the injected email, creating a fresh rate-limit key that bypasses the normal throttling mechanisms. This can be automated to send a large number of requests in a short period, exploiting the lack of effective rate limiting on these routes.

Remediation

Users can update Strapi to version 5.45.0 or later, where this vulnerability has been patched.