Strapi Content-Type Builder Database-Query Injection Vulnerability

A database-query injection vulnerability has been identified in Strapi's Content-Type Builder write API. This issue affects Strapi versions 4.x prior to 4.26.1 and 5.x prior to 5.33.2. The vulnerability allows authenticated administrators to inject arbitrary database statements through the 'column.defaultTo' attribute while creating or modifying a content type. By setting 'defaultTo' as a tuple '[value, { isRaw: true }]', the injected value is passed directly into Knex's 'db.connection.raw()' during schema migration, bypassing sanitization. This exploitation could lead to arbitrary statement execution at the database level. Depending on the database engine, this vulnerability could be leveraged for arbitrary file reads using database utility functions, causing a denial-of-service by forcing a server crash during schema migration errors, or, on engines that allow external program execution, remote code execution on the database server.

Impact

Exploitation of this vulnerability could result in unauthorized database access, allowing for arbitrary file reads, causing server crashes, or, on certain database engines, executing remote code on the database server.

Remediation

Users are advised to update Strapi to version 5.33.2 or later for the 5.x branch, and to version 4.26.1 or later for the 4.x branch. After updating to version 5.33.2 or later, production deployments will return a 404 error for requests to the Content-Type Builder write API endpoints, removing the network-reachable attack surface. For version 4.26.1, similar restrictions apply, but users should verify the specific endpoint behavior after updating.