Disclosure Summary

Thanks to several community members, we have been notified and patched three security vulnerabilities:

• CVE-2024-31217: GHSA-pm9q-xj9p-96pm
• CVE-2024-29181: GHSA-6j89-frxc-q26m
• CVE-2024-34065: GHSA-wrvh-rcmr-9qfc

Per our security policy, we are performing our due diligence by publicly disclosing these vulnerabilities after careful testing, validation, communication, and our mandatory waiting period. For further details of the patched vulnerabilities, please refer to the information below or consult the linked GitHub Advisories.

We would like to thank the following community members for their participation in our security program:

• CVE-2024-31217: CxDavidepaalte
• CVE-2024-29181: felixdkatt
• CVE-2024-34065: Mathieu Farrell from Quarkslab

Immediate resolution steps for all vulnerabilities disclosed here

To immediately resolve all vulnerabilities detailed in this post, please update all of your Strapi packages to version v4.24.2.

CVE-2024-31217: Denial-of-Service via Improper Exception Handling

Summary of CVE-2024-31217 Vulnerability Details

• CVE: CVE-2024-31217
• CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
• Affected Versions: <=4.21.0
• How to Patch: Immediately update your Strapi to version >=4.22.0

Description of CVE-2024-31217

A Denial-of-Service was found in the media upload process causing the server to crash without restarting, affecting either development and production environments.

Using Specifically crafted requests, a user with the proper permissions to upload assets to a Strapi project could inject a null character within the file-path leading to an unhandled exception and causing the Strapi instance to crash.

IoC's for CVE-2024-31217

Due to the nature of this vulnerability and the fact file paths are not logged by default in the Strapi Server logs, the only way to detect this vulnerability is if you see odd crashes of the application with a similar stack trace as the following:

[2024-03-22 10:23:42.629] http: POST /upload (22 ms) 400
node:internal/fs/utils:379
  const err = new ERR_INVALID_ARG_VALUE(
              ^

TypeError [ERR_INVALID_ARG_VALUE]: The argument 'path' must be a string, Uint8Array, or URL without null bytes. Received '/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/public/uploads/replaceme_png_88efe6a165.png\x00'
    at new WriteStream (node:internal/fs/streams:340:5)
    at Object.createWriteStream (node:fs:3123:10)
    at /mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/provider-upload-local/dist/index.js:71:33
    at new Promise (<anonymous>)
    at Object.uploadStream (/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/provider-upload-local/dist/index.js:68:16)
    at Object.uploadStream (/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/plugin-upload/server/register.js:80:35)
    at Object.upload (/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/plugin-upload/server/services/provider.js:16:46)
    at Object.uploadImage (/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/plugin-upload/server/services/upload.js:220:48) {
  code: 'ERR_INVALID_ARG_VALUE'
}

Timeline for CVE-2024-31217

CVE-2024-29181: Leaking data via relations via the Admin Panel

Summary of CVE-2024-29181 Vulnerability Details

• CVE: CVE-2024-29181
• CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
• Affected Versions: <=4.19.0
• How to Patch: Immediately update your Strapi to version >=4.19.1

Description of CVE-2024-29181

CVE-2024-29181 is a low severity vulnerability in the Strapi framework, with a CVSS score 2.3. This vulnerability stems from lax RBAC access control on fields that render lists of relations. This vulnerability does not require steps to be exploitable but instead relies on the possibility that a non-super admin user without the privileges to read the related data can see said data in the content manager's create and edit pages. However, a likely attack vector would be unauthorized access to information, the severity of which would depend on what the display field of the list item has been mapped to. For instance, mapping related entities to uuid-v4 strings wouldn't immediately pose a threat, but mapping it to either an email or primary key id could result in an enumeration based attack.

IoC's for CVE-2024-29181

Due to the nature of this vulnerability, there are no other indicators of compromise.

Timeline for CVE-2024-29181

The timeline for this vulnerability is a bit shorter as we only noticed the report after the vulnerability was fixed while fixing another related bug. We are still communicating and disclosing this vulnerability as part of our process.

CVE-2024-34065: 3rd party token leak and authentication bypass

Summary of CVE-2024-34065 Vulnerability Details

• CVE: CVE-2024-34065
• CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
• Affected Versions: <= 4.24.1
• How to Patch: Immediately update your Strapi to version >=4.24.2

Description of CVE-2024-34065

CVE-2024-34065 is a high-severity vulnerability in the Strapi framework, with a CVSS score of 7.1. This vulnerability results from the combination of an Open Redirect and the transmission of session tokens via URL query parameters. Exploiting this vulnerability allows unauthenticated attackers to bypass authentication mechanisms and obtain third-party tokens, potentially leading to unauthorized access to the affected application. A likely attack vector involves a phishing scenario, where attackers trick users into clicking a malicious link, thereby redirecting them to an external domain and capturing their session tokens. The attack requires low complexity and no privileges, though it does require user interaction (a single click).

Special note, this vulnerability will only impact 3rd party providers as part of the users-permissions plugin and only if those providers do not have strict callback/redirect URI validation on the provider side. This does not impact the Strapi Admin panel SSO as all of those providers generally have strict callback/redirect URI validation already.

IoC's for CVE-2024-34065

Using the following regex pattern (replacing your specific provider, in this case showing Discord): ^\[[0-9:-\. ]+\] http: GET \/api\/connect\/discord\/callback\?=.+$ carefully review your logs for any callback address that is not what you have configured.

For example: [2024-05-30 14:27:22.268] http: GET /api/connect/discord/callback?=https://strapi.io

If you detect that this has been used against you, you should immediately update and change your JWT secret. You can find the JWT secret in your .env file or configured as an environment variable called: JWT_SECRET

Timeline for CVE-2024-34065

Commitment to Responsible Disclosure

We at Strapi do believe in responsible disclosure. In the case of these vulnerabilities, we have worked with the security researcher to ensure that the vulnerabilities were patched before the full disclosure of the vulnerabilities. Once a vulnerability is patched, we added a notice to our release notes to inform users there was a security vulnerability but initially wanted to delay detailed disclosure for a few weeks to give time for users to upgrade before the release of the full disclosure. As an additional step, we immediately notified our customers via several emails beforehand to ensure they were aware of the vulnerabilities and to upgrade their Strapi servers.

In this case, we believe that delaying the detailed disclosure was important to ensure that users had the time required to upgrade their Strapi servers before making the details of each vulnerability public, thus placing that information in the hands of bad actors. We also believe that the security researcher was very professional and responsible in handling the vulnerabilities, and we are very thankful for their work in helping us improve the security of Strapi.

We urge anyone who believes they have discovered a security vulnerability to assist us in responsibly disclosing the vulnerability to us by submitting a GitHub Advisory on our main repo or by contacting our security team via security@strapi.io.

Thanks,

The Strapi Security Team