Simply copy and paste the following command line in your terminal to create your first Strapi project.
npx create-strapi-app
my-project
Thanks to several community members, we have been notified and patched three security vulnerabilities:
Per our security policy, we are performing our due diligence by publicly disclosing these vulnerabilities after careful testing, validation, communication, and our mandatory waiting period. For further details of the patched vulnerabilities, please refer to the information below or consult the linked GitHub Advisories.
We would like to thank the following community members for their participation in our security program:
To immediately resolve all vulnerabilities detailed in this post, please update all of your Strapi packages to version v4.24.2.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
A Denial-of-Service was found in the media upload process causing the server to crash without restarting, affecting either development and production environments.
Using Specifically crafted requests, a user with the proper permissions to upload assets to a Strapi project could inject a null character within the file-path leading to an unhandled exception and causing the Strapi instance to crash.
Due to the nature of this vulnerability and the fact file paths are not logged by default in the Strapi Server logs, the only way to detect this vulnerability is if you see odd crashes of the application with a similar stack trace as the following:
[2024-03-22 10:23:42.629] http: POST /upload (22 ms) 400
node:internal/fs/utils:379
const err = new ERR_INVALID_ARG_VALUE(
^
TypeError [ERR_INVALID_ARG_VALUE]: The argument 'path' must be a string, Uint8Array, or URL without null bytes. Received '/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/public/uploads/replaceme_png_88efe6a165.png\x00'
at new WriteStream (node:internal/fs/streams:340:5)
at Object.createWriteStream (node:fs:3123:10)
at /mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/provider-upload-local/dist/index.js:71:33
at new Promise (<anonymous>)
at Object.uploadStream (/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/provider-upload-local/dist/index.js:68:16)
at Object.uploadStream (/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/plugin-upload/server/register.js:80:35)
at Object.upload (/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/plugin-upload/server/services/provider.js:16:46)
at Object.uploadImage (/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/plugin-upload/server/services/upload.js:220:48) {
code: 'ERR_INVALID_ARG_VALUE'
}
Time | Event |
---|---|
2024/02/14 02:39am GMT | Report of the vulnerability received by the Strapi Security Team |
2024/02/14 03:24pm GMT | Strapi Security Team acknowledged the report and began investigating |
2024/03/22 05:26pm GMT | Vulnerability report was accepted by the Strapi Team |
2024/03/22 05:49pm GMT | Internal reproduction sent to Strapi Engineering Team to review |
2024/03/22 06:05pm GMT | Internal Patch Development started |
2024/03/25 09:16pm GMT | Initial draft patch completed and experimental created for patch validation |
2024/03/26 05:44pm GMT | Detection of an additional issue was found and reproduction shared to Strapi Engineering Team |
2024/03/26 09:12pm GMT | New patch issued and experimental created for patch validation |
2024/04/04 05:15pm GMT | Patch was merged and released in Strapi v4.22.0 and warning was included in patch notes |
2024/04/04 06:09pm GMT | GitHub issued CVE-2024-31217 per our request |
2023/04/05 04:32pm GMT | Disclosure communication placed on hold due to internal requirements and other vulnerability work being performed |
2024/06/03 05:26pm GMT | Initial warning email was sent out to all Strapi Enterprise and Cloud Customers including Strapi partners with active enterprise contracts |
2024/06/03 12:00pm GMT | Mandatory waiting period of 2 weeks initiated |
2024/06/12 02:00pm GMT | Released the full disclosure of the vulnerability and published GitHub Advisories |
2024/06/12 04:00pm GMT | Disclosure email was sent out to all Strapi Enterprise and Cloud Customers, including Strapi partners with active enterprise contracts |
CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
CVE-2024-29181 is a low severity vulnerability in the Strapi framework, with a CVSS score 2.3. This vulnerability stems from lax RBAC access control on fields that render lists of relations. This vulnerability does not require steps to be exploitable but instead relies on the possibility that a non-super admin user without the privileges to read
the related data can see said data in the content manager's create and edit pages. However, a likely attack vector would be unauthorized access to information, the severity of which would depend on what the display field of the list item has been mapped to. For instance, mapping related entities to uuid-v4
strings wouldn't immediately pose a threat, but mapping it to either an email or primary key id could result in an enumeration based attack.
Due to the nature of this vulnerability, there are no other indicators of compromise.
The timeline for this vulnerability is a bit shorter as we only noticed the report after the vulnerability was fixed while fixing another related bug. We are still communicating and disclosing this vulnerability as part of our process.
Time | Event |
---|---|
2023/09/01 19:51pm GMT | Report of the vulnerability received by the Strapi Security Team |
2024/01/31 01:58pm GMT | A release was made that patched the vulnerability before the vulnerability report was accepted |
2024/01/31 01:58pm GMT | Patch was released in Strapi version v4.19.1 |
2024/03/21 06:39pm GMT | Vulnerability report was accepted by the Strapi Team |
2024/03/21 08:00pm GMT | GitHub issued 2024-29181 per our request |
2024/03/21 09:00pm GMT | Previous patch validated that it resolved the vulnerability, rest of process expedited retroactively |
2023/04/05 04:32pm GMT | Disclosure communication placed on hold due to internal requirements and other vulnerability work being performed |
2024/06/03 05:26pm GMT | Initial warning email was sent out to all Strapi Enterprise and Cloud Customers including Strapi partners with active enterprise contracts |
2024/06/03 12:00pm GMT | Mandatory waiting period of 2 weeks initiated |
2024/06/12 02:00pm GMT | Released the full disclosure of the vulnerability and published GitHub Advisories |
2024/06/12 04:00pm GMT | Disclosure email was sent out to all Strapi Enterprise and Cloud Customers, including Strapi partners with active enterprise contracts |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
CVE-2024-34065 is a high-severity vulnerability in the Strapi framework, with a CVSS score of 7.1. This vulnerability results from the combination of an Open Redirect and the transmission of session tokens via URL query parameters. Exploiting this vulnerability allows unauthenticated attackers to bypass authentication mechanisms and obtain third-party tokens, potentially leading to unauthorized access to the affected application. A likely attack vector involves a phishing scenario, where attackers trick users into clicking a malicious link, thereby redirecting them to an external domain and capturing their session tokens. The attack requires low complexity and no privileges, though it does require user interaction (a single click).
Special note, this vulnerability will only impact 3rd party providers as part of the users-permissions plugin and only if those providers do not have strict callback/redirect URI validation on the provider side. This does not impact the Strapi Admin panel SSO as all of those providers generally have strict callback/redirect URI validation already.
Using the following regex pattern (replacing your specific provider, in this case showing Discord): ^\[[0-9:-\. ]+\] http: GET \/api\/connect\/discord\/callback\?=.+$
carefully review your logs for any callback address that is not what you have configured.
For example: [2024-05-30 14:27:22.268] http: GET /api/connect/discord/callback?=https://strapi.io
If you detect that this has been used against you, you should immediately update and change your JWT secret. You can find the JWT secret in your .env
file or configured as an environment variable called: JWT_SECRET
Time | Event |
---|---|
2024/02/16 07:51pm GMT | Report of the vulnerability received by the Strapi Security Team |
2024/03/22 10:15pm GMT | Strapi Security Team acknowledged the report and began investigating |
2024/03/26 10:47pm GMT | Decided with reporter not to split this report into two separate reports |
2024/04/25 03:18pm GMT | Vulnerability report was accepted by the Strapi Team |
2024/04/02 03:07pm GMT | An experimental release was made with the changes communicated previously for testing |
2024/05/03 10:00am GMT | GitHub issued CVE-2024-34065 per our request |
2024/05/08 02:18pm GMT | Patch was released in Strapi version v4.24.2 |
2023/04/05 04:32pm GMT | Disclosure communication placed on hold due to internal requirements and other vulnerability work being performed |
2024/06/03 05:26pm GMT | Initial warning email was sent out to all Strapi Enterprise and Cloud Customers including Strapi partners with active enterprise contracts |
2024/06/03 12:00pm GMT | Mandatory waiting period of 2 weeks initiated |
2024/06/12 02:00pm GMT | Released the full disclosure of the vulnerability and published GitHub Advisories |
2024/06/12 04:00pm GMT | Disclosure email was sent out to all Strapi Enterprise and Cloud Customers, including Strapi partners with active enterprise contracts |
We at Strapi do believe in responsible disclosure. In the case of these vulnerabilities, we have worked with the security researcher to ensure that the vulnerabilities were patched before the full disclosure of the vulnerabilities. Once a vulnerability is patched, we added a notice to our release notes to inform users there was a security vulnerability but initially wanted to delay detailed disclosure for a few weeks to give time for users to upgrade before the release of the full disclosure. As an additional step, we immediately notified our customers via several emails beforehand to ensure they were aware of the vulnerabilities and to upgrade their Strapi servers.
In this case, we believe that delaying the detailed disclosure was important to ensure that users had the time required to upgrade their Strapi servers before making the details of each vulnerability public, thus placing that information in the hands of bad actors. We also believe that the security researcher was very professional and responsible in handling the vulnerabilities, and we are very thankful for their work in helping us improve the security of Strapi.
We urge anyone who believes they have discovered a security vulnerability to assist us in responsibly disclosing the vulnerability to us by submitting a GitHub Advisory on our main repo or by contacting our security team via security@strapi.io.
Thanks,
The Strapi Security Team